Questioning Your Device
____________________________________________________
Why companies should think twice before choosing for
“Bring Your Own Device”
Written by: Cherissa Appelman
Student number: s1923242
Supervised by: Dr. Vlad Niculescu-Dincă
Leiden University - Faculty of Governance and Global Affairs
MSc Crisis and Security Management
“Do something today that your future self will thank you for”
- Anonymous
I am very grateful for what the “past me” has accomplished over the course of this Msc. Truly, I have challenged myself in ways that I did not think possible before (including the ability to drink more than 5 cups of coffee a day and still feel sleepy).
I would like to present my deepest appreciation to all interviewees for taking the time to contribute to this research and making my graduation possible. Moreover, I would like to thank my supervisor for his guidance throughout this process. Last but not least, I would express my gratitude to all my friends and family for their unwavering support and pep-talks.
Table of contents
____________________________________________________
Abstract 5
1. Introduction 6
1.1. Information security in a digital world 6
1.3. Managing the human factor in information security 7
1.4. Research question 9
1.5. Academic relevance 9
1.6. Societal relevance 12
2. Theoretical framework 14
2.1. The Protection Motivation Theory 14
2.2. The Theory of Planned Behaviour 16 2.3. The Integrated Behavioural Model 17
3. Methodology 20 3.1. Research design 20 3.2. Sampling 20 3.3. Data collection 22 3.4. Data analysis 22 3.5. Unit of Analysis 23
3.6. Reliability and validity 23
4. Analysis 24
4.1. The threats, vulnerabilities and risks of the BYOD-model in the Dutch private sector 24
4.1.1. Threats of the BYOD-model 24
4.1.2. Vulnerabilities of the BYOD-model 26
4.1.3. Risks of the BYOD-model 28
4.2. The perspective of experts on the role of information security managers and employees in contributing to information security in Dutch companies with a BYOD-model 30
4.2.1. The role of information security managers 30
4.2.2. The role of employees 33
4.3. Information security managers versus employees: Understanding of how the BYOD-model impacts
in-formation security and related behaviour 34
4.3.2. Threat appraisal of the BYOD-model - Perceived vulnerability 36
4.3.4. Coping appraisal 39
4.3.5. Coping appraisal - Response efficacy 40
4.3.6. Coping appraisal - Self-efficacy 41
4.3.7. Coping appraisal - Response costs 43
4.3.8. Rewards 44
4.3.9. Attitude 46
5. Conclusion, discussion and recommendations 49
5.1. Conclusion 49
5.2. Discussion 52
5.3. Practical recommendations 53
6. References 55
Appendix 1a: Semi-structured interview format (Experts and Information security managers) 60 Appendix 1b: Semi-structured interview format (Employees) 61
Abstract
____________________________________________________
Employees have a critical role in the protection of information and other data assets held on IT-sys-tems in companies. Hence, supporting information security behaviour of employees is considered a top priority of information security managers. In Dutch companies, allowing employees to use per-sonal devices for work-related tasks is considered a common practice. This IT-model, known as
Bring Your Own Device, has considerable implications on information security for companies.
However, there is little to no research conducted on what security actors understand about the BYOD-model. Drawing upon social cognitive theories of behaviour, this study assesses the under-standing of experts, information security managers and employees on how the BYOD-model im-pacts information security and related behaviour. Interviews with experts, as well as information security managers and employees in companies with a BYOD-model revealed similar and contrast-ing patterns in understandcontrast-ing. Recommendations for future research and practice are discussed.
1.
Introduction
____________________________________________________
This chapter consists of the introductory paragraphs. First, the research problem is outlined. Next, the main research question and three sub-questions are defined. Finally, the academic and societal relevance are explained.
1.1. Information security in a digital world
The number of people using the internet is ever-growing and in 2018 almost half of the world’s po-pulation is online (International Telecommunications Union, 2017). The internet has become inter-woven with our daily lives, and organisational activities are relying heavily on Information Techno-logies (IT)- systems. Governments and private companies are using web-based services to store in-formation resources, ranging from citizen or customer records to confidential company records (Thomson & Solms 2005). This means the importance of information security has expanded to the digital domain. Information security is defined as the preservation of confidentiality, integrity and availability of information (Solms & Niekerk, 2013). While digitalisation offers many advantages such as increased productivity, reduced costs, easy and all-round access to information and enhan-ced information preservation, it should be noted that it also comes with threats (Aptara Corp, 2017). Cyber attacks can compromise customer records, damage internal records, manipulate or destroy information (PwC, 2018). When successful, a cyber attack can result in major financial, brand and reputation losses for organisations (Knapp et al., 2006; Kaur & Mustafa, 2013). In the past years, the global number of information security incidents occurring in organisations has increased drama-tically (PwC, 2018; Tatu et al., 2018). Hackers constantly develop new and different methods for achieving security breaches, what makes it difficult to defend against these threats. Rightfully, the protection of information and other data assets held on IT-systems is a major concern for organisati-ons and has become a top managerial priority (Ifnedo, 2011). Organisatiorganisati-ons invest significant re-sources in technology-based countermeasures such as anti-virus scanners, firewalls, intrusion detec-tion and prevendetec-tion systems (Rhee, Kim and Ryu, 2009). However, the aforemendetec-tioned tools and measures only offer a technological solution to this problem while humans are often the weakest link in the information security chain (Rhee, Kim and Ryu, 2009; Burcu, Cavusoglu and Benbasat, 2010; Ifnedo, 2012). The activities and measures taken by employees to prevent an information se-curity incident, from here onwards referred to as information sese-curity behaviour, are an important element of the protection of information held in IT-systems.
1.2. Bring Your Own Device: A threat for information security in the Netherlands?
One reason for heightened concern about the role of employees in information security is that many companies have shown increasing interest and tolerance for employees using their own private de-vices to access work data and applications. This concept is known as Bring Your Own Device (BYOD), and represents a significant change from past IT-models where organisations typically only allowed employees to use corporate-owned equipment for work-related tasks (Pinchot & Paul-let, 2015). Nowadays, the majority of employees have a sophisticated smartphone and/or laptop, that can function as well as corporate desktops (Fujitsu, 2015). Allowing the use of private devices for work has multiple benefits. The company does not have to spend a considerable amount on pro-curement of corporate devices, employees are familiar and comfortable with the functionalities of their device and do not need training. Further increased employee productivity and a more positive attitude towards the company are readily associated with the BYOD-model (Ghosh et al., 2013; Pinchot & Paullet, 2015; Brodin et al, 2015).However, having a large number of mobile devices that can access corporate data increases information security risks (Pinchot & Paullet, 2015). While a company can prevent an information security incident by adding many technological countermea-sures on corporate IT-systems, it has limited to no control over the private devices of employees (Ghosh et al., 2013). Hence, information security behaviour of employees in companies that have implemented the BYOD-model becomes even more important in mitigating information security threats.
In the Netherlands, BYOD is no longer a trend but already considered reality. In 2015, over 70% of Dutch employees used private devices, such as smartphones or laptops for work purposes (Fujitsu, 2015). Alarmingly, research indicates the majority of Dutch companies that allow employ-ees to use their private devices are experiencing problems with information security behaviour. Se-curity provider Fortinet conducted a research among Dutch employees between 21-31 years and found 57% of this group would be willing to ignore company policies if this would limit the use of their private phone (Hulsman, 2013). This casts doubt on the level of information security in Dutch companies that have implemented the BYOD-model and raises concerns about the information se-curity behaviour of the employees in question.
1.3. Managing the human factor in information security
It has been found that employees generally pose a considerable intentional and accidental security risks to organisations (Posey et al., 2014). In 2018, a global information security survey stated that
employees are the top source of security incidents (PwC, 2018). Most employees have access to in-formation on IT-systems, which means they also have a critical role in preserving inin-formation secu-rity. Information security awareness concerns the degree of understanding of users about the impor-tance of information security and their responsibilities and activities needed to protect information resources (Shaw et al., 2009). Information security managers have expert knowledge on informati-on security practices, and are respinformati-onsible for enhancing informatiinformati-on security awareness and behavi-our of users at all levels of the organisation (Albrechtsen & Hovden, 2009). To support employees’ information security awareness and behaviour, information security managers develop and/or im-plement information security interventions such as campaigns, trainings and policies. Information
security policies (ISP) are established rules that address specific security issues by providing
in-structions to the employees as to what they should do when they interact with the information and technology resources of their organisations (Bulgurcu et al., 2010). Developing organisational rules, guidelines and requirements have proven to be an important measure for the prevention of informa-tion security incidents caused by human error (Burcu, Cavusoglu and Benbasat, 2010; Ifnedo, 2012). However, ISP are typically developed along the line of what information security managers find important. Research has shown that simply imposing guidelines does not always lead to beha-vioural change of employees, moreover: If authoritarian approaches go too far, it can even have the opposite effect (Posey et al., 2014).
Previous studies have attempted to gain a better understanding of information security beha-viour of employees, but has mainly been accumulated from the opinions and experiences of infor-mation security professionals (Ifnedo, 2012; Posey et al., 2014). This is potentially problematic, as information managers and experts are typically removed from day-to-day tasks and might not com-pletely understand the daily tasks and challenges an employee is faced with.In order to create a se-cure environment, rules and guidelines on information security should be consistent with employ-ees’ work practices and challenges (Posey et al., 2014; Pham et al., 2017). At the same time, em-ployees need to understand why information security and the recommended practices are important for the organisation (Posey et al., 2014).
This research will aim to identify potential gaps in understanding between experts, informa-tion security managers and employeeson how the BYOD-model impacts information security and related behaviour in Dutch companies. First, it is intended to find out whether the BYOD-model is detrimental to information security of companies. Interviews with security experts will be conduc-ted to elicit current threats, vulnerabilities and risks of the BYOD-model in the Netherlands.
More-over, experts will give their perspective on the role of information managers andemployees in companies with a BYOD-model.
The second part of this study aims to gain insights on how information security managers and employees in Dutch companies understand information security and related behaviour in the context of the BYOD-model. Thus, interviews with both information security managers and em-ployees will be conducted to reveal potential differences in understanding on how the BYOD-model impacts information security and related behaviour.
1.4. Research question
This leads to the following question guiding this research:
What are the differences (and similarities) in understanding between experts, information se-curity managers and employees on how the BYOD-model impacts information sese-curity and related behaviour in Dutch companies?
Guided by the main research question, the following sub-questions will be assessed:
1. What are the security threats, vulnerabilities and risks for Dutch companies which have imple-mented the BYOD-model?
2. What is the experts’ assessment of the role of information security managers and employees in contributing to information security in Dutch companies which have implemented the BYOD-model?
3. How do information security managers and employees in Dutch companies understand the im-pact of the BYOD-model on information security and related behaviour?
1.5. Academic relevance
The Netherlands provides a relevant case study, as the BYOD-model is considered a very common practice in many Dutch companies. On the contrary, there is little to no available research on the BYOD-model in Dutch companies. Most information on the impact of BYOD-model is either at least three years old or from global surveys. Hence, there is a clear gap in literature when it comes to providing an overview of the current security threats, vulnerabilities and risks of the BYOD-mo-del in the Netherlands.
When it comes to the human factor in information security, concerns about the overall lack of knowledge have been raised in both academic and field research (Rhee, Kim and Ryu, 2009). Consequently, the role of employees in information security has gained popularity. Studies have un-derlined the significance of having organisational rules and policy to influence information security behaviour of employees (Ifnedo, 2012; Bulgurcu et al., 2010; Lee et al., 2008; Pahnila et al., 2007; Knapp et al., 2006). However like mentioned before, simply instating ISP does not guarantee em-ployees’ compliance with them (Burcu, Cavusoglu and Benbasat, 2010). Therefore, research has turned to behavioural theories to identify which factors influence information security behaviour. Criminological theories such as General Deterrence Theory, Rational Choice Theory and Crime Prevention Theory have been applied in many studies on information security behaviour (Anderson and Agarwal, 2010). These studies have stated that severe punishment and penalties can deter un-desired information security behaviour, but have been challenged by newer insights that the effecti-veness of such sanctions are inconclusive (Aurigemma & Mattson, 2014; Herath & Rao, 2009). When evaluating the threat of employees in information security, a distinction can be made between malicious and non-malicious employees. Whereas malicious employee behaviour is intentional and deviant (sabotage, stealing, espionage etc.), non-malicious employee behaviour can range over a continuum of volitional to non-volitional (characterised by lack of awareness, ignorance, resistance, apathy etc.) (Aurigemma & Mattson, 2014). Taking in account that not all employees have mali-cious intentions, the threat of punishment alone is not enough to ensure all employees perform in-formation security behaviour in an organisation.
To understand the background and underlying reasons of non-malicious employee behavi-our, social cognitive psychology theories have proven useful. Constructs of social cognitive theories such as the Protection Motivation Theory, and Theory of Planned Behaviour, provided a framework that identifies individual factors that influence motivation and behavioural intent. There is an abun-dance of studies that have used these social cognitive theories to predict behaviours related to in-formation security both at home and in organisations (Woon et al., 2005; Lee and Larsen, 2009; Ng et al., 2009; Bulgurcu et al., 2010). Pahnila et al. (2007) and Ifnedo (2012) applied a theoretical framework including the Protection Motivation Theory and Theory of Planned Behaviour to inves-tigate employees’ compliance with ISP and found attitude, normative beliefs and the evaluation of information security threats to have a significant impact. What’s more, Siponen et al. (2007) and Herath and Rao (2009) conducted a similar study among employees and found threat appraisal, per-ceptions of response efficacy, self-efficacy and response costs likely to affect information security
behaviour. In conclusion, earlier research based on the Protection Motivation Theory and Theory of Planned Behaviour have been able to explain information security behaviour to some extent.
Even though the aforementioned research has provided some insights on what factors influ-ence information security behaviour, it has been argued that there is a lack of research that explores and effectively analyses the perspective of users with respect to information security (Mouratidis et al., 2008; Pham et al., 2017). In general, ISP reflects what factors information managers or experts think have a positive influence on information security behaviour, and it remains unclear whether this view aligns with the perspectives of employees(Albrechtsen & Hovden, 2009). There are rea-sons to assume information security managers and employees have diverging views. Chang et al. (2017) compared how security is perceived by IT and non-IT professionals, and the extent the per-ceptions of each were communicated. Findings demonstrated that there are clear differences of how these two group think about and communicate about information security. Next, Mouratidis et al. (2008) researched the perspectives of general management and security experts on network security, and found a disagreement between the two groups on how they evaluated the effectiveness and effi-ciency of security measures. A study by Albrechtsen & Hovden (2009) found differences between information security managers and employees views on and experience with information security practices. Information security managers mostly viewed users as a security threat and wanted to give them as little responsibilities as possible, whereas employees were actually keen on contribu-ting towards organisational security. Furthermore, studies by Posey et al. (2014) and Pham et al. (2017) have adopted Protection Motivation Theory as a theoretical framework to understand the views between information security professionals and employees on how users become motivated to protect their organisation against information security threats. Both studies confirmed that there is a divide between these groups. Posey et al. (2014) found that information security professionals and employees had very different understanding about information security threats and vulnerabili-ties. Employees considered hackers and inadequate systems as threat actors to information security, in opposition of information security professionals who viewed inexperienced employees as the biggest threat. Last, Pham et al. (2017) found that managers and experts preferred to limit autonomy to enhance information security behaviour, whereas end-users found this de-motivating and rather wished to be autonomous and active participants in the information security process.
This study will expand the research conducted by Posey et al. (2014) and Pham et al. (2017) on the different perspectives between security actors. Both studies have found indications of a gap between information security professionals and employees, but have not explored specific
informa-tion security challenges such as the BYOD-model. Next, this study proposes to add the Theory of Planned Behaviour to the theoretical framework. The Theory of Planned Behaviour has been pre-viously integrated with the Protection Motivation Theory, and was successfully utilised to under-stand an individual’s adoption of information security behaviour (Pahnila et al., 2007; Ifnedo, 2012). The study of Posey et al. (2014) indicated that employees’ commitment to the organisation as well as colleagues had an impact on information security behaviour. The Theory of Planned Beha-viour provides a framework to further examine the perception on attitudes and subjective norms. Finally, there is little to nothing known about the understanding of employees regarding the infor-mation security implications of the BYOD-model.
1.6. Societal relevance
The Ministry of Justice and Security of the Netherlands acknowledged that the digital resilience of individuals and organisations is lagging behind (NCTV, 2017). Hence, Dutch government has been actively engaged with a number of initiatives to strengthen cybersecurity awareness and behaviour among society. Cybersecurity concerns the protection of information resources but also that of other
assets in cyberspace, including the user (Von Solms & Niekerk, 2013). Campaigns such as ‘Alert Online’ and ‘Veiling internetten.nl’ aim to inform users about different sorts of cyber attacks, and more importantly try to motivate cyber-secure behaviour both at work and at home (Motivaction International et al., 2017). The campaigns provide guidance on topics such as setting a secure pass-word, not clicking on suspicious emails and how to make back-ups of your important data (Veilig internetten.nl, 2018). To measure cybersecurity awareness and behaviour of users in the Nether-lands a yearly survey on cybersecurity awareness is conducted. The latest survey concluded that 1
75% of employees were not worried about cybersecurity at work. In addition to estimating the risk and impact of a cyber attack very low, respondents estimated their online skills to be very good. Alarmingly, half of all employees stated to have never received information from their employer on information security. Moreover, it was found that many employees had no clue about the security procedures concerning personal customer data. These results indicate employees in Dutch compa-nies are a huge security risk.
As mentioned before, employees play an important role in theprotection of information and other data assets held in IT-systems of companies. There are two important developments that
The annual survey on National Cybersecurity Awareness 2017 used a representative sample of 1123 Dutch 1
crease the necessity of understanding how to motivate employees secure use of personal devices. First, the BYOD-model is globally expected to grow exponentially in popularity (Cisco Systems, 2017). Technological developments such as cloud computing have enabled private devices to be 2
well connected to the corporate network and have remote access to applications of the organisation (Ghosh et al., 2013). However, there are multiple concerns about the potential vulnerabilities of the BYOD-model. First of all, private devices that are connected to confidential corporate data systems can get lost or stolen. Secondly, the private devices used by employees for work purposes might for example not be sophisticated in terms of security such as anti-virus scanners, software updates and configuration settings. Last, employees can freely download software, join insecure networks and store (confidential) data on other devices outside of the company’s protected network (Brodin et al., 2015). In conclusion, the BYOD-model increases the chance of corporate data being compromised or leaked. It should be noted that this does not only concern corporate data on the private device of the employee in question. Moreover, malware on private devices can easily spread to the workpla-ce. Any weak link in security can lead to serious data breaches in the corporate network.
Second, the General Data Protection Regulation (GDPR) has come in effect on 25 May 2018. This new European privacy law intends to strengthen and unify data protection within the Eu-ropean Union. Companies are allowed to gather, store and process personal data, but have the res-ponsibility to implement strong safeguards. It has been estimated that the Dutch private sector will have additional annual compliance costs up to €1.4 billion (Cats, 2018). All companies, regardless of size, that store personal data need to make sure that their information security is up to par. Fur-ther, companies are obliged to inform authorities about a data breach within 72 hours. Failure to ad-here to the GDPR, can lead to a fine up to 20 million euro (European Council, n.d.). This means that the possible consequences of employees’ poor information security behaviour are now more severe than ever.
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared 2
pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (Mell & Grance, 2011).
2.
Theoretical framework
____________________________________________________
Social behavioural theories have previously been used to identify factors that lead to the adoption of information security behaviour. Studies of Posey et al. (2014) and Pham et al. (2017) successfully utilised the Protection Motivation Theory and Theory of Planned Behaviour to understand the views between information security professionals and users on information security practices. This chap-ter will explain both theories, which will provide the framework of this study. Last, an Integrative Behavioural Model is proposed to research the understanding of multiple information security ac-tors on how the BYOD-model impacts information security and related behaviour.
2.1. The Protection Motivation Theory
The Protection Motivation Theory (PMT) by Rogers (1975) was initially developed to explain the influence of fear appeal on health attitudes and behaviours. A fear appeal is communication about imminent threats to an individual’s well-being accompanied with information on how to avoid its impact (Rogers, 1975). According to PMT, fear appeal communication initiates cognitive processes concerning the severity of a threat, the probability of an event occurring and the effectiveness of a coping response which can change individual attitudes and, subsequently, change behaviour to pro-tect oneself from danger. Furthermore, two types of behaviour are possible when an individual is faced with a threat: adaptive and maladaptive behaviour. Adaptive behaviours are the activities that successfully reduce the effects of the threats, and thus are helpful in deterring the danger.
Maladap-tive behaviours are activities that only reduce the effects of the threat, but do not lessen the danger.
The latter often leads to individuals downplaying their fear and having a false sense of safety (Ro-gers, 1975). In the context of information security behaviour, an example of adaptive behaviour is regularly updating your devices and an example of maladaptive behaviour is thinking it is not ne-cessary to take precautions as an information security incident can only happen to others. In 1983, Maddux & Rogers revised this model and established a more general theory of cognitive change that acknowledged the importance of social learning theory.
The revised PMT suggests that the tendency to adopt certain behaviour is said to be the re-sult of expectancies regarding the consequences of the behaviour and the value of those consequen-ces. In essence, there are two cognitive processes constituted in PMT that are sequential; threat app-raisal and coping appapp-raisal (see figure 1). An individual must first believe a threat applies to him or her before considering preventive behaviour. Threat appraisal describes the process of evaluating
the perceived level of danger posed by threatening events, and is measured in perceived vulnerabili-ty and perceived severivulnerabili-ty. Perceived vulnerabilivulnerabili-ty concerns an individual’s evaluation of the proba-bility of threatening events. Perceived severity assesses how serious an individual believes the thre-atening event is to his or her own life. Last, fear arousal evaluates the level of fear the threthre-atening event evokes for the individual and is seen as an intermediary variable. This means higher levels of perceived vulnerability and severity lead to higher levels of fear arousal, and subsequently higher threat appraisal. PMT reasons that the greater the perceived level of threat, the more likely a beha-vioural intention to adopt protective behaviour will be formed (Maddux & Rogers, 1983). However, rewards that result from not engaging in protective behaviour can decrease threat appraisal. Re-wards can result from extrinsic motivation (e.g., social approval of current behaviour) and intrinsic motivation (e.g., receiving physical or psychological pleasure from current behaviour).
Taking notions from the social learning theory of Bandura (1977), coping appraisal refers to the process of evaluating the perceived ability of an individual to cope with threatening events, and is measured in self-efficacy, response efficacy and response costs. Response efficacy is the indivi-dual’s belief whether the recommended coping behaviour will be effective in deterring threatening events. Self-efficacy concerns the individual’s belief to his or her capabilities to cope with threa-tening events or conduct the recommended behaviour. While higher levels of self-efficacy and res-ponse efficacy increase the likelihood of adopting a given behaviour, resres-ponse costs can have a de-creasing effect. Response costs refers to the perceived costs of adopting the coping response, in terms of monetary, time and effort. The relation between threat and coping appraisal results in the intention to perform certain behaviour.
2.2. The Theory of Planned Behaviour
The Theory of Planned Behaviour, hereafter TPB, of Azjen (1991) was developed to gain a better understanding of the relationships between attitudes, intentions and behaviours. Whereas previous studies in behavioural psychology were unsuccessful in establishing a strong relation between tudes and behaviour, TPB demonstrated that measuring attitude toward specific behaviour (f.e., atti-tude towards regularly updating your IT-systems) instead of an object (such as information security) is a much better predictor of behaviour (Azjen, 1991). The theory proposes three constructs that di-rectly influence behavioural intent: Attitude, subjective norms and perceived behavioural control (see figure 2). First, Attitude concerns an individual’s general feeling of favourableness or unfavou-rableness for a specific behaviour. Secondly, subjective norm refers to an individual’s normative beliefs, or the social pressure to perform specific behaviour based on what important others think (f.e., your colleagues expressing it is important not to click on suspicious links). Last, the notion of
perceived behavioural control was added to the theory. Perceived behavioural control concerns an
individuals perception of how difficult or easy performing specific behaviours are. The latter is me-asured by the presence or absence of facilitators and barriers to carry out specific behaviour and the perceived control to facilitate or inhibit the specific behaviours. In similar regard as PMT, the con-structs of TPB directly effect behavioural intention, which subsequently determines behaviour.
Furthermore, it should be noted that TPB accounts for the influence of other factors such as demographic, personality and environmental characteristics by assuming these variables influence attitude, subjective norm and perceived behavioural control and do not independently influence the likelihood of carrying out behaviour (Azjen, 1991).
2.3. The Integrated Behavioural Model
This study combines the constructs of PMT and TPB to research the understanding of experts, in-formation security managers and employees on how the BYOD-model impacts inin-formation security and related behaviour. The Integrated Behavioural Model, hereafter IBM, builds on the assumption that the components specified in PMT and TPB lead to the adoption of information security behavi-our. There is however one important adaption in IBM regarding the rewards construct. Previous re-search has shown that users do not gain intrinsic nor extrinsic rewards for information security be-haviour, but have noted rewards can serve as an extrinsic motivator in facilitating certain behaviour (Woon et al.,2005; Pahnila et al., 2007; Posey et al., 2014). Thus, rewards are adapted to tangible (money, gifts, awards etc.) or intangible (compliments, praise by others etc.) means to increase be-havioural intent. The conceptualisation of each construct applied to the BYOD-model and related behaviour of employees is as follows:
• Threat appraisal is the evaluation of information security threats to a Dutch company with a BYOD-model;
• Perceived vulnerability is conceptualised as the evaluation of the likelihood of an information se-curity incident occurring in a Dutch company with a BYOD-model;
• Perceived severity refers to the evaluation of the severity of the possible consequences of an in-formation security incident occurring at a Dutch company with a BYOD-model;
• Coping appraisal are the activities or measures an employee takes to prevent an information se-curity incident occurring on personal devices;
• Self-efficacy is the employees’ evaluation of their ability to perform activities or measures that prevent an information security incident on personal devices ;
• Response efficacy concerns the employees’ evaluation of the impact of taking preventative activi-ties or measures on personal devices;
• Response costs are the potential disadvantages of taking preventative activities or measures on personal devices an employee considers;
• Rewards are the tangible or intangible means to motivate employees to take preventative activities or measures on personal devices;
• Attitude is the employees’ positive or negative feelings towards engaging in preventative activities or measures on personal devices;
• Subjective norms are an employees' understanding of what others in the workplace think about preventative activities or measures on personal devices;
• Perceived behavioural control is the employees’ perceived ease or difficulty of performing BYOD-model related behaviour. It should be noted that this construct is derived from self-effica-cy and measures the same behavioural factor. In the IBM framework, this construct is the same as self-efficacy.
Figure 3. Schematic presentation of the Integrated Behavioural Model3
According to IBM, the above explained constructs can result in taking or not taking preventative activities and measures on their personal devices. Ideally, employees in Dutch companies would perform preventative activities or measures (or adaptive behaviours) that successfully reduce the effects of the threats related to the BYOD-model. In Table 1 an overview of the influence of each construct on the intention to perform adaptive behaviours is shown.
Note: Upper grey area shows the constructs of the Protection Motivation Theory and the latter black part 3
Table 1. IBM constructs and proposed influence on adaptive behaviours
IBM construct Definition Proposed influence on adoption of adaptive behaviours
Threat appraisal The potential threats related to the BYOD-model
identified
-Vulnerability The extent to which an employee believes they are
susceptible to threats related to the BYOD-model Positive Severity The extent to which an employee believes the threats
related to the BYOD-model are severe Positive Coping appraisal The activities or measures that prevent an information
security incident from occurring on personal devices -Response efficacy The belief that particular behaviour is effective in
prevent-ing an information security incident on personal devices Positive Self-efficacy The self-confidence in being able to perform activities or
measures that prevent an information security incident from occurring on personal devices
Positive Response costs The potential drawbacks of activities or measures that
prevent an information security incident from occurring on personal devices
Negative
Rewards Tangible or intangible means to motivate employees taking activities or measures to prevent an information security incident from occurring on personal devices
Positive
Attitude The positive or negative feelings towards engaging in
preventative activities or measures on personal devices Positive attitude - positiveNegative attitude - negative Subjective norms The social pressure of others in the workplace to perform
3.
Methodology
____________________________________________________
This chapter elaborates on how this study aims to find an answer to the proposed research question. First the research design and sampling are described. Further, the process of data collection and analysis is explained. Last, the reliability and validation of this study are discussed.
3.1. Research design
This research followed an qualitative approach and implemented a multiple case-study design to identify the understanding between experts, information security managers and employees on how BYOD-model impacts information security and related behaviour. Qualitative case studies are able to give in-depth knowledge about complex subjects such as the understanding of security actors. Moreover, studying multiple cases is considered robust and reliable (Baxter & Jack, 2008).
3.2. Sampling
Guided by the sub-questions, this research is conducted in two stages. In effort to gain expertise knowledge on the current threats, vulnerabilities and risks of the model, as well as BYOD-related behaviour in Dutch companies, semi-structured interviews were held with 4 information se-curity experts. The first characteristic for the case selection was knowledge on information sese-curity. Second, experts were selected based on either knowledge or experience with the human factor within information security. Last, all experts were familiar with the BYOD-trend. Based on all three characteristics, a sample of experts in the field of information security was selected and recruited through social media (LinkedIn) and personal contacts. Table 2 gives an overview of the back-ground of the expert interviewees.
Table 2. Experts characteristics
Label Position Organisation Expertise E.1. Senior policy officer Dutch Ministry of Justice &
Security Cybercrime & Awareness E.2. Senior policy officer Dutch Ministry of Economic
Affairs & Climate
Cybersecurity & Aware-ness, focus on SME E.3. Policy officer National Coordinator for
Secu-rity and Counterterrorism
Cybersecurity & Aware-ness
The second part of this research focused on how information security managers and em-ployees understand the BYOD-model and related behaviour. Based on previously gained informati-on informati-on the implementatiinformati-on of the BYOD-model in the Netherlands, a typical case sampling was used. The first characteristic was to ensure companies are working with confidential data. Second, companies had to allow their employees to use personal devices for work purposes. Last, it was de-cided to approach companies in the financial industry. In general, the financial industry is deemed a very attractive target for malicious third parties. As a result two Dutch Small Medium Enterprises (<250 employees) in the financial services industry were selected (Table 3).
Table 3. Company characteristics
In both companies data gathering consisted of a total of 10 interviews with information security managers (n=3) and employees (n=7). Managers were purposefully selected based on their respon-sibility for the information security behaviour of employees (in company B this responrespon-sibility was shared between the information security manager and compliance manager). Employees were selec-ted through purposive sampling, had access to sensitive information and used their personal devices at least two times a month for work. Table 4 summarises the company roles and age of all intervie-wees.
Table 4. Information security manager and employees characteristics Label Core business N.o.
Employees Confidential data employees have access to BYOD-model A Mediator in
insurances 150-200 Customer data Employees can under specific conditions use personal computer for work
B Investment broker 50 Customer data, trade secrets
(profits/losses) Employees can use personal mobile phones and laptops for work
Label Position Company Age
Information security manager
A.1. Information Security
Manager A 29
B.1. Information Security
Manager B 33
3.3. Data collection
Data was gathered by means of semi-structured interviews over a time period of 8 weeks . Questi-ons were prepared in advance, but allowed new ideas to be brought up during the interview as a re-sult of what the interviewee says. Moreover, questions were guided by the constructs of IBM (see operationalisation in Appendix 1). The interviewer was permitted to ask follow-up questions to sti-mulate or help the interviewee until enough information was elicited. All semi-structured interviews lasted between 25-45 minutes on average and were conducted in Dutch or English, depending on the native-speaking background of the participant. Further, interviews were held in person, in the case of two experts via Skype, and conducted by the same researcher. Before the interview, partici-pants signed an informed consent (see Appendix 2) and were explicitly asked permission to record the conversation under strict confidentiality. Interviewees were guaranteed that all data was anony-mised and could not be traced back to individual interviewees or companies to elicit honest respon-ses. Participants did not receive a monetary reward for their participation.
3.4. Data analysis
After completing data collection, content of all interviews was transcribed verbatim. The data of the was categorised with respect to the constructs of the IBM. Next, thematic analysis within each con-struct was coded and counted for all groups using Atlas.ti. Codes were developed by observing pat-terns of themes and ideas while reading the data (emergent codes). For clarity, data from informati-on security managers and employees was represented in percentages of singular respinformati-onses within each construct of IBM. A single response could be assigned to more than one code.
Employees
a.2. Administrative officer A 50
a.3. Administrative officer A 27
b.3. Administrative Manager B 28
b.4. Branche Manager B 30
b.5. Customer Service Manager B 30
b.6. Administrative officer B 36
3.5. Unit of Analysis
In this research differences (and similarities) in understanding between experts, information securi-ty managers and employees will be analysed. By means of individual interviews, perspectives on the level of each group are accumulated and analysed.
3.6. Reliability and validity
For purposes of reproducibility, the interview questions can be found in appendix 1. Further, trans-cripts of all interviews are anonymised and available upon request. To increase validity of the re-search, respondents were asked to comment on the interview transcripts and whether the final the-mes and concepts created adequately reflected their understanding of the BYOD-model and related behaviour. Moreover, to ensure internal reliability of data analysis, an independent rater with basic knowledge on behavioural psychology was given a small sample of the data to check coding.
In terms of limitations, the personal interaction between interviewer and interviewee led to slight differences in questions, which decreased the internal reliability of the research. Next, due to time constraints no process of triangulation was used. Last, it should be noted that the number of cases remained rather limited (n=14), and that this research offers little basis for generalising the findings to a wider population. However, this study explored potential differences in understanding of the BYOD-model between security actors, and generalisability is not the main goal for this the-sis.
4.
Analysis
____________________________________________________
In the following chapter the gathered data from interviews with experts, information security man-agers and employees is analysed. First, the findings from the interviews with experts on the threats, vulnerabilities and risks of the BYOD-model in the Netherlands are discussed. Next, data on how experts assess the role of both information security managers and employees in companies with a BYOD-model in terms of information security is reviewed. Last, the understandingof information security managers and employees on how the BYOD-model impacts information security and relat-ed behaviour is explainrelat-ed.
4.1. The threats, vulnerabilities and risks of the BYOD-model in the Dutch private
sector
To gain a deeper understanding of whether the BYOD-model is considered detrimental to informa-tion security of companies in the Netherlands, multiple experts were asked about the current threats, vulnerabilities and risks.
4.1.1. Threats of the BYOD-model
First, experts were questioned on the biggest threats with regards to information security in the Dutch private sector. In this research, threats entail anything that can exploit a vulnerability, either intentionally or accidentally, and obtain, damage or destroy corporate IT-systems and/or the infor-mation held on here (Threat Analysis Group, n.d.). Three main threat themes were elicited from the interviews.
Table 5. Threat themes of the BYOD-model according to experts
All experts more or less agreed that employees are generally the biggest threat for information secu-rity of a company (see Table 5).
Threat themes
1. Employees (information security awareness and behaviour) 2. Lack of knowledge on information security of employer 3. Theft or loss of personal devices
“From my personal view I believe that people not being aware of the dangers of f.e., clicking on a
link and filling in their bank details. F.e., the Microsoft scam is still very profitable for criminals since many people still fall for this.” (E.2., Policy Officer, National Coordinator for Security and
Counterterrorism)
“If employees do not follow company policies, such as using their personal USBs or taking confi-dential information home, there is nothing you can do to prevent cyber attacks. Same goes for if they don’t see through a phishing email or social engineering tricks. You could think of a funnel model wherein the individual or employee is the most fundamental layer.” (E.1., Senior Policy
Of-ficer, Ministry of Justice & Security)
Experts mentioned employees are often not aware of the dangers when using IT-systems in an inse-cure manner and are not able to detect information security attacks. Overall unintentional threats such as unawareness of employees were considered the biggest threat, followed by intentional threats including not adhering to a company’s ISP. Secondly, the importance and responsibility of the employer was mentioned.
“Before a company decides to implement BYOD it is imperative to have a good IT policy in place.
You can bring your own device, but it should meet certain requirements…” (E.3., Senior Policy
Of-ficer, Ministry of Economic Affairs & Climate Policy)
It is very important to create a safe working environment. This not only goes for the IT-systems, but also implementing clear company policies. Employers should notify their employees on what you can and cannot do. You can hardly expect your employees to learn this themselves. (E.1., Senior
Policy Officer, Ministry of Justice & Security)
Experts stated that companies should facilitate the right conditions for employees to effectively con-tribute to information security. This entails giving clear guidance on how employees can prevent information security attacks, by f.e., instating an ISP before implementing the BYOD-model, giving information security awareness trainings, and investing in safe corporate IT-systems. While most comments about information security threats concerned the lack of information security awareness
and behaviour of both employees and employers, one expert brought up the theft of personal de-vices.
“In the case of the BYOD, employees use their personally owned devices which makes it hard to maintain a degree of control. These devices are not owned by the employer. When an employee has access to their f.e., work email on their personal device, this brings up questions concerning securi-ty. Let’s say this personal device gets stolen, it is important for an employer to have the option to take precautionary measures such as a remote wipe.” (E.4., IT consultant, Independent IT firm).
In case a personal device gets stolen or lost, a third-party could potentially access the corporate data through an employees’ personal device.
4.1.2. Vulnerabilities of the BYOD-model
In terms of vulnerabilities, experts in general agreed personal devices have gaps in security that can be exploited by malicious third parties. Interviewees mentioned employees’ personal devices could easily be accessed through technical vulnerabilities in applications and use of unsecured WiFi net-works.
“It has been proven many times before, that vulnerabilities in applications can be used to gain ac-cess to your phone. When your phone is connected to the workspace, this means hackers can gain access to your corporate information as well. Companies have no control over the applications their employees download on their personal devices.” (E.4., IT consultant, Independent IT firm)
“A private device will go all over the place; it will leave the workplace, and in a worst case
sce-nario the employee f.e., goes to a restaurant and makes use of unsecured WiFi networks. This is like the walhalla for hackers, and a common place where they target their victims. Public WiFi networks are already a huge threat, and especially when employees connect this to their personal less se-cured devices.” (E.3., Senior Policy Officer, Ministry of Economic Affairs and Climate Policy)
All experts stated that malware on personal devices could easily spread to the workplace, thereby compromising corporate information.
“We are all interconnected, and a cyber attack on a personal device could easily spread to the
workplace.” (E.1., Senior Policy Officer, Ministry of Justice & Security)
“When your phone is connected to the workspace, this means hackers can gain access to your
cor-porate information as well.” (E.3., Senior Policy Officer, Ministry of Economic Affairs and
Climate Policy)
The BYOD-model is considered to be an additional vulnerability in the information security of a company, which can be exploited by malicious third actors trying to breach private devices to gain access to corporate information.
Further, experts were also asked to estimate the chances of a company with the BYOD-model experience an information security incident.
“Very high. If you take into account that 1 out of 5 Dutch people are a victim of cybercrime, and
that 1 out of 6 companies are hit…” (E.3., Senior Policy Officer, Ministry of Economic Affairs
and Climate Policy)
Experts generally commented that they did not have exact numbers on the information security in-cidents that occurred as a result of allowing employees to use their personal devices, but generally estimated the chances of this happening as very likely. It should be noted that the majority of the experts expressed that the degree of vulnerability to be dependent on the respective industry:
“I think predominantly industries in which money and personal data are circulated should be wor-ried.”(E.4. IT consultant, Independent business)
In agreement with the previous quote, some experts concluded companies which handle money and personal data are most vulnerable for information security attacks. What’s more, experts argued that the BYOD-model is mostly implemented in smaller companies in the Netherlands which do not in-vest in corporate devices for all employees. This is confirmed by research on cyberthreats and strengthening resilience in the Netherlands published by the Rathenau Institute in 2017. The report found problems including a lack of financial resources for the procurement of corporate devices and many problems in basic information security measures in Small Medium Enterprises (SME).
More-over, SME in the Netherlands were identified as currently highly vulnerable for cyber attacks (Ra-thenau Institute, 2017). For this reason, some experts believed the BYOD-model to have decreased in popularity.
“I can understand that small companies do not have the funds to provide all employees with
com-pany devices. What I would foresee is that the BYOD-model can only continue that for short period of time. Most likely the other parties you work with, will at some point want to be guaranteed your company is secure.” (E.1., Senior Policy Officer, Ministry of Justice & Security)
“I actually believe the popularity of Bring Your Own Device is slowly decreasing and making place
for the Choose Your Own Device trend.”(E.4. IT consultant, Independent business)
The majority of the experts commented that, specifically because of the additional threats, vulnera-bilities and risks, the BYOD-model is losing its popularity in the Netherlands. The input from the expert interviews further shaped the case studies to focus on SME in the financial sector that have implemented the BYOD-model in the Netherlands.
4.1.3. Risks of the BYOD-model
Last, experts were asked about the risks of the BYOD-model. Risks are considered to be the poten-tial loss, damage or destruction of corporate IT-systems and/or the information held on here as a result of a threat exploiting a vulnerability (Threat Analysis Group, n.d.). Questions about the po-tential consequences for Dutch companies as a result of an employees’ personal device being breach were posed.
Table 6. Risk themes of the BYOD-model according to experts
All experts acknowledged the loss of information to be the biggest risk. Loss of multiple sorts of sensitive information were mentioned by the interviewees.
Risk themes
1. Loss of information (corporate and personal data) 2. System unavailability
“The confidential data of your employees can get accessed and leaked.” (E.3., Senior Policy
Offi-cer, Ministry of Economic Affairs and Climate Policy)
“And… cyber espionage can lead to your intellectual property being stolen. Further, the confidenti-al data of your employees can get accessed and leaked. Complete data sets can get stolen. This can be done by criminals, journalists or basically everyone who is interested in this information.” (E.2.,
Policy officer, National Coordinator for Security and Counterterrorism)
Confidential information on customers, employees or company trade secrets were seen as most in-teresting for malicious third parties. Furthermore, unavailability of IT-systems and/or information held on here was also considered a risk.
“Information of the company could be leaked or made unavailable in case of a ransomware attack. This is why at my work it is not encouraged to use your private account to send work-related emails.” (E.3., Senior Policy Officer, Ministry of Economic Affairs and Climate Policy)
“An organisation could be hit by cryptoware that take your files hostage and only release it if you pay a certain amount of money.” (E.2., Policy officer, National Coordinator for Security and
Counterterrorism)
The majority of experts specifically named the risk of ransomware , which is currently a popular 4
profit-model for criminals in cyberspace. This overlaps with the risk of financial losses for compa-nies with a BYOD-model. Most notably, experts refer to financial losses including paying cyber-criminals to unlock corporate files and money fraud:
“A data leak can lead to the theft of intellectual property, financial losses or fraud. The latter could be a hacker changing a bank account number. In the end, criminals are after one thing which is fi-nancial gain. Money can be earned by directly stealing funds or by taking personal data, which are worth money. The more confidential and important the personal data, the more money can be ear-ned.”(E.4., IT consultant, Independent IT firm)
A type of malware that prevents or limits users from accessing their system, either by locking the system's 4
Last, one expert considered the trade-off between security of the company and the privacy of an employee as a risk.
“Let’s say this personal device gets stolen, it is important for an employer to have the option to take precautionary measures such as a remote wipe. The risk accompanied is that a measure like the re-mote wipe also delete personal files such as photographs. The BYOD creates a tension between the security of a company and the privacy of an employee.” (E.4., IT consultant, Independent
busi-ness)
In theory when a personal device is connected to the workplace, an organisation could access per-sonal information of the employee. Furthermore, when an employer chooses to implement technical solutions such as the remote wipe, the loss of personal files of employees could be a risk.
4.2. The perspective of experts on the role of information security managers and
em-ployees in contributing to information security in Dutch companies with a
BYOD-model
In addition to mapping the current information security threats, vulnerabilities and risks for Dutch companies that have implemented the BYOD-model, experts were asked to assess the role of man-agers and employees in preventing an information security incident.
4.2.1. The role of information security managers
As mentioned before, all experts agreed that information security is a shared responsibility between the employer and employees. Following the constructs of the IBM-model, interviewees were ques-tioned on how information security managers could improve employees’ use of personal devices in terms of information security. In general, experts found enhancing information security awareness of employees a first important step. Information security campaigns were seen as being an impor-tant means to raise information security awareness, and eventually behaviour of employees. What stood out, is that advice from the experts in many instances overlapped in multiple constructs of IBM. The highlights can be found in Table 7.
Table 7. Advice for employers to enhance personal information security behaviour of employees
Experts spoke about the importance of explaining the information security risks for a company to employees in relation to response efficacy, response costs and attitude towards ISPs.
“I think employees first need to understand what the risks exactly are. F.e., what are the risks of a
data leak for the company they work for. ” (E.4., IT consultant, Independent IT firm)
“Explain why security is important and f.e., three password checks are necessary to get access to certain files. Again, awareness is key.” (E.2., Policy officer, National Coordinator for Security
and Counterterrorism)
Overall experts agreed that explaining the necessity of good information security would lead to em-ployees being more understanding of why specific measures or actions need to be taken, and even-tually enhance information security behaviour. Experts suggested this explanation should be includ-ed in information security interventions and ISPs. Moreover, two experts said experiencing the risks of information security by hiring a company to test employees or organising a demonstration by an ethical hacker would be beneficial.
In extension of the previous advice, experts made multiple remarks on how making advice personally relevant for employees could help response efficacy and self-efficacy.
“This brings us back to the basic principles: Why would someone want to listen to the message?
People are naturally more interested in what is relevant to them or what happening in the news. This principle could be used to motivate employees.” (E.1., Senior Policy Officer, Ministry of
Justice & Security)
Recommended actions for employers
1. Explain the information security risks for the company to employees 2. Explain personal relevance of information security behaviour to employees
3. Establish clear and easy instructions on personal information security behaviour for employees 4. Give employees intangible rewards in exchange for good information security behaviour 5. Support the emergence of subjective norms for information security behaviour
Experts said employees are more likely to pay attention to information security if this is somehow related to their personal situation. Hearing about information security incidents and related behav-iours in their personal environment or on the news, was thought to improve how confident employ-ees are about the effectiveness of certain behaviours and their ability to perform these themselves.
Third, the delivery of information on information security behaviour for employees was deemed important. Giving clear and easy instructions on information security behaviour were said to help employees’ response costs and attitude towards ISPs.
“I can understand that employees get really annoyed by the many security demands and instructions
they receive. The same goes for the general public. If you do not hand clear and concise solutions, that are fairly easy to implement, the chances of success are slim.” (E.1., Senior Policy Officer,
Ministry of Justice & Security)
Most experts noted that giving clear and simple guidance to employees helps relieve the potential disadvantages employees might have, such as annoyance about f.e., figuring out how a back-up should be made, and nurtures a more positive attitude towards ISPs.
Further, all experts emphasised a positive approach in steering information security be-haviour of employees should be taken. One important element in accomplishing this, was the use of intangible rewards.
“By rewarding their good behaviour. If an employee comes forward this should be approached in a
positive manner. This does not necessarily needs to be a physical reward, this can be decided by the companies themselves. But it should be made sure a compliment or appreciation is showed.” (E.2.,
Policy officer, National Coordinator for Security and Counterterrorism)
“Have a ‘most cyber secure’ employee of the month. That is the first thing that comes to mind. You can challenge people to be more aware and think about information security in a more enjoyable manner.” (E.3., Senior Policy Officer, Ministry of Economic Affairs and Climate Policy)
Intangible rewards such as giving compliments to employees and praising good information securi-ty behaviour were considered an important tool to enhance information securisecuri-ty behaviour. Intangi-ble rewards could help make good information security measures or actions more visiIntangi-ble in the
workplace and motivate others to change their behaviour for the better as well. Moreover, one ex-pert explicitly stated tangible rewards such as money would be less effective than intangible re-wards in changing information security behaviour.
Last, the influence of employees with knowledge on information security or/and displaying good information security behaviour in the workplace was considered as an opportunity in enhanc-ing information security behaviour of other employees.
“This can be as simple as someone hearing about a hack in an application on the news and sharing,
discussing this with their colleagues. Or.. Someone suspecting he or she received a phishing email and warning their colleagues about this.” (E.4., IT consultant, Independent IT firm)
Experts mentioned colleagues can function as a role-model within their team, share experiences among each other, offer (technical) support and even enforce information security behaviour by so-cial pressure. While one expert underlined this dynamic should be natural and not lead to some em-ployees lecturing others, it was suggested that employers could help create subjective norms on formation security by f.e., organising awareness campaigns and praising employees’ with good in-formation security behaviour.
4.2.2. The role of employees
When asked about what specific measures or activities employees could implement to prevent an information security incident from occurring, answers could be broadly distilled in two advices. The first advice was to take basic security measures for their personal devices.
“We will advice on password policy, making regular back-ups of your IT systems and what more... Phishing mails, do not click on suspicious emails!” (E.3., Senior Policy Officer, Ministry of
Eco-nomic Affairs and Climate Policy)
Experts gave a variety examples including selecting a strong password, making regular back-ups, not downloading untrustworthy software, not clicking on suspicious links or visiting insecure web-sites. Most notably, not opening unknown emails or phishing emails were named as an important measure to prevent an information security incident.
“The most obvious one is to use your common sense, but there are a few instances of which employ-ees need to be made aware. F.e., when your phone’s battery is quickly draining, using a lot of data or when a phone is very hot this could indicate there might be something wrong with your
phone.” (E.4., IT consultant, Independent IT firm)
Experts stated that employees should become more trusting and aware of their gut feeling when it comes to information security. Employees were recommended to take immediate action in case they suspect something is wrong, such as a quickly draining battery, but also to follow basic logics in how sensitive information should be handled. The latter was considered to be difficult for employ-ees to engage in, as experts all agreed the overall level of awareness on information security is still quite low.
4.3. Information security managers versus employees: Understanding of how the
BYOD-model impacts information security and related behaviour
According to previous research of Posey et al., 2014 and Pham et al., 2017, it is important that in-formation security managers and employees have a similar understanding of inin-formation security practices. In terms of the BYOD-model, it is deemed important managers and employees have a good understanding of the challenges of using personal devices for work purposes. In the following chapter the findings concerning understanding of the BYOD-model and related behaviour between employees and managers are explained following the constructs of the IBM.
4.3.1. Threat appraisal of the BYOD-model
According to IBM, threat appraisal or the evaluation of the level of danger posed by threats, is de-termined by the perceived vulnerability and perceived severity. A higher level of threat appraisal positively influences coping appraisal, which in turn leads to behavioural intent towards activities and measures to protect against the threats of the BYOD-model. First, managers and employees should have an idea of what the security threats of the BYOD-model are; the first question was therefore ‘what are according to you the threats of using private devices for work purposes in terms of information security’. Table 8 presents the security threats of the BYOD-model that were identi-fied by employees and managers.
Table 8. Threat themes of the BYOD-model (in percentages)
Both groups agreed that hackers, online threats (viruses, trojan horse etc.) and most notably mali-cious employees were top security threats of the BYOD-model.
“Maybe employees that could leak this information. Luckily this has not happened in the past 10 years, but it only takes one person that does abuse the system and you have a problem.” (b.5.,
Cus-tomer service manager, Company B)
“Employees in most companies will be able to send an email from their corporate email to their
private email, and do whatever with this information outside the control of the company. Hence, integrity of employees is very important as well. The code of conduct clearly states employees can-not send corporate information to their private email, it is then up to the employee if they comply or ignore the policy.” (A.1., Information security manager, Company A)
Both groups identified employees as intentional threat actors, but there were some slight differences in understanding; employees named blackmail and insiders intentionally leaking data as top security threats, whereas managers were mostly concerned with employees purposefully not adhering with ISP by downloading movies and sending emails from their corporate email to their private email. Further, many employees seemed quite unaware of the threats of the BYOD-model.
“I would not think this can be very damaging, as this is not really information that could be sold to others. The really sensitive information would be only kept my heads of management.” (b.5.,
Cus-tomer service manager, Company B)
Employees Managers
1. Employees - 71% 1. Employees - 100% 2. No serious threats - 57% 1. Hackers - 66% 3. Hackers - 42% 3. Online threats - 66% 4. Online threats - 42%
