An Exploratory Study of the Effects of Knowledge Sharing Methods on Cyber Security Practice
DOI:
https://doi.org/10.3127/ajis.v25i0.2177Keywords:
knowledge sharing, social media, cyber security, security complianceAbstract
In a networked global economy, cyber security threats have accelerated at an enormous rate. The security infrastructure at organisational and national levels are often ineffective against these threats. As a result, academics have focused their research on information security risks and technical perspectives to enhance human-related security measures. To further extend this trend of research, this study examines the effects of three knowledge sharing methods on user security practices: security training, social media communication, and local security experts (non-IT staff). The study adopts a phenomenological method employing in-depth focus group interviews with 30 participants from eight organisations located in Ho Chi Minh city, Vietnam. The study expands on understanding factors contributing to self-efficacy and security practice through various knowledge sharing channels. Current methods of periodical training and broadcast emails were found to be less effective in encouraging participants to develop security self-efficacy and were often ignored. Security knowledge sharing through social media and local experts were identified as supplementary methods in maintaining employees’ security awareness. In particular, social media is suggested as a preferred channel for disseminating urgent security alerts and seeking peer advice. Local security experts are praised for providing timely and contextualised security advice where member trust is needed. This study suggests that provisions of contemporary channels for security information and knowledge sharing between organisations and employees can gain regular attention from employees, hence leading to more effective security practices.
References
Aloul, F. A. (2012). The need for effective information security awareness. Journal of Advances in Information Technology, 3, 176-183. doi:10.4304/jait.3.3.176-183
Ashenden, D. (2008). Information security management: A human challenge? Information Security Technical Report, 13, 195-201. doi:10.1016/j.istr.2008.10.006
Ashworth, P. (1999). ‘‘Bracketing’’ in phenomenology: Renouncing assumptions in hearing about student cheating, International Journal of Qualitative Studies in Education, 12(6), 707–721. doi: 10.1080/095183999235845
Barlow, J., Warkentin, M., Ormond, D. & Dennis, A. (2018). Don't even think about it! The effects of antineutralization, informational, and normative communication on information security compliance. Journal of the Association for Information Systems, 19, 689-715. doi:10.17705/1jais.00506
Brandl, D. (2012). 3 pillars of industrial cyber security. Control Engineering, 59, 8
Brennan, L. & Binney, W. (2010). Fear, guilt and shame appeals in social marketing. Journal of Business Research, 63, 140-146. doi:10.1016/j.jbusres.2009.02.006
Brown, J.S. & Duguid, P. (1999), Balancing act: How to capture knowledge without killing it, Harvard Business Review, 78, 3, 73-80
Bulgurcu, B., Cavusoglu., H. & Benbast, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security swareness, MIS Quarterly, 34, 3, 523-548. doi: 10.1016/j.cose.2020.101963
Burke, B. (2016). Gamify: How gamification motivates people to do extraordinary things, Routledge.
Chang, C. M., Hsu, M. H. & Lee, Y. J. (2015). Factors influencing knowledge-sharing behavior in virtual communities: A Longitudinal Investigation. Information Systems Management, 32, 331-340. doi:10.1080/10580530.2015.1080002
Cherdantseva, Y., Hilton, J., Rana, O. & Ivins, W. (2016). A multifaceted evaluation of the reference model of information assurance & security. Computers & Security, 63, 45-66. doi:10.1016/j.cose.2016.09.007
Clark, R. C. (2008). Building expertise: Cognitive methods for training and performance improvement, San Francisco, CA, John Wiley & Sons
Cilesiz, S. (2011). A phenomenological approach to experiences with technology: current state, promise, and future directions for research, Education Tech Research Dev, 59, 487–510. doi:10.1007/s11423-010-9173-2
Creswell, J. W. (2007). Qualitative inquiry and research design: Choosing among five approaches (2nd ed.), Thousand Oaks, CA: Sage.
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hud, Q., Warkentin, M. & Baskerville, R. (2013). Future directions for behavioral information security research. Computer & Security, 32, 90-101. doi:10.1016/j.cose.2012.09.010
Cummings, J. N. (2004). Work groups, structural diversity, and knowledge sharing in a global organization. Management Science, 50, 352-364. doi:10.1287/mnsc.1030.0134
Dworkin, S. L. (2012). Sample size policy for qualitative studies using in-depth interviews. Archives of sexual behavior, 41, 1319. doi:10.1007/s10508-012-0016-6
Feledi, D., Fenz, S. & Lechner, L. (2013). Toward web-based information security knowledge sharing. Information Security Technical Report, 17, 199-209. doi:10.1016/j.istr.2013.03.004
Furnell, S. & Rajendran, A. (2012). Understanding the influences on information security behaviour. Computer Fraud & Security, 2012, 12-15. doi:10.1016/s1361-3723(12)70053-2
Gupta, R. & Brooks, H. (2013). Using social media for global security, John Wiley & Sons
Hajli, N. & Lin, X. (2016). Exploring the security of information sharing on social networking sites: The role of perceived control of information. Journal of Business Ethics, 133, 111-123. doi:10.1007/s10551-014-2346-x
Höne, K. & Eloff, J. H. P. (2002). Information security policy — what do international information security standards say? Computers & Security, 21, 402-409. doi:10.1016/S0167-4048(02)00504-7
Hwang, Y. & Kim, D. J. (2007). Understanding affective commitment, collectivist culture, and social influence in relation to knowledge sharing in technology mediated learning. IEEE Transactions on Professional Communication, 50, 232-248. doi: 10.1109/TPC.2007.902664
Ipe, M. (2003), Knowledge sharing in organizations: A conceptual framework, Human Resource Development Review, 2, 4, 337-359. doi: 10.1177/1534484303257985
Jafari, N. N. & Charband, Y. (2016). Knowledge sharing mechanisms and techniques in project teams: Literature review, classification, and current trends. Computers in Human Behavior, 62, 730-742. doi:10.1016/j.chb.2016.05.003
Johnston, A. C. & Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. Management Information Systems Quarterly, 34, 549-566. doi:10.2307/25750691
Juniper Research. (2017). Cybercrime & the Internet of Threats [Online]. Available: https://www.juniperresearch.com/document-library/white-papers/cybercrime-the-internet-of-threats-2017 [Accessed 30 May 2018]
Kaplan, A. M. & Haenlein, M. (2010). Users of the world, unite! The challenges and opportunities of Social Media. Business Horizons, 53, 59-68. doi:10.1016/j.bushor.2009.09.003
Kettinger, W. J., Li, Y., Davis, J. M. & Kettinger, L. (2015). The roles of psychological climate, information management capabilities, and IT support on knowledge-sharing: an MOA perspective. European Journal of Information Systems, 24, 59-75. doi:10.1057/ejis.2013.25
Khan, B., Alghathbar, K. S., Nabi, S. & Khan, M. (2011). Effectiveness of information security awareness methods based on psychological theories. African Journal of Business Management, 5, 10862-10868. doi:10.5897/AJBM11.067
Kwahk, K. Y. & Park, D. H. (2016). The effects of network sharing on knowledge-sharing activities and job performance in enterprise social media environments. Computers in Human Behavior, 55, 826-839. doi: 10.1016/j.chb.2015.09.044
Liao, L. F. (2008). Impact of manager's social power on R&D employees' knowledge-sharing behaviour. International Journal of Technology Management, 41, 169-182. doi:10.1504/IJTM.2008.01599
Liu, D., Ji, Y. & Mookerjee, V. (2011). Knowledge sharing and investment decisions in information security. Decision Support Systems, 52, 95-107. doi:10.1016/j.dss.2011.05.007
Mallinder, J. & Drabwell, P. (2013). Cyber security: a critical examination of information sharing versus data sensitivity issues for organisations at risk of cyber attack. Journal of Business Continuity & Emergency Planning, 7, 103. doi:Retrieved from: https://www.henrystewartpublications.com/jbcep
Mittal, S. & Dhar, R. L. (2015). Transformational leadership and employee creativity: mediating role of creative self-efficacy and moderating role of knowledge sharing. Management Decision, 53, 894-910. doi:10.1108/MD-07-2014-0464
Moustakas, C. 1994. Phenomenological research methods. Thousand Oaks, CA: Sage
Nonaka, I. & Takeuchi, H. (1995), The knowledge creation company: how Japanese companies create the dynamics of innovation, New York: Oxford University Press
Nonaka, I., Von Krogh, G. & Voelpel, S. (2006), Organizational knowledge creation theory: Evolutionary paths and future advances, Organization Studies, 27, 8, 1179-1208. doi: 10.1177/0170840606066312
Oh, S. (2012). The characteristics and motivations of health answerers for sharing information, knowledge, and experiences in online environments. Journal of the American Society for Information Science and Technology, 63, 543-557. doi:10.1002/asi.21676
Oostervink, N., Agterberg, M. & Huysman, M. (2016). Knowledge sharing on enterprise social media: Practices to cope with institutional complexity. Journal of Computer‐Mediated Communication, 21, 156-176. doi:10.1111/jcc4.12153
Park, S.-K., Lee, S.-H., Kim, T.-Y., Jun, H.-J. & Kim, T.-S. (2017). A performance evaluation of information security training in public sector. Journal of Computer Virology and Hacking Techniques, 13, 289-296. doi: 10.1007/s11416-017-0305-7
Pattabiraman, A., Srinivasan, S., Swaminathan, K. & Gupta, M. (2018). Fortifying corporate human wall: A literature review of security awareness and training. Information Technology Risk Management and Compliance in Modern Organizations. IGI Global
Pham, C. H., El-den, J. & Richardson, J. (2016). Stress-based security compliance model-An exploratory study. Journal of Information and Computer Security, 24, 326-347. doi:10.1108/ICS-10-2014-0067
Pham, C.H, Brennan, L and Furnell, S., (2019). Information security burnout: Identification of sources and mitigating factors from security demands and resources. Journal of Information Security and Applications, 46, 96-107. doi:10.1016/j.jisa.2019.03.012
Popovac, M. & Fine, P. (2018). An intervention using the Information-Motivation-Behavioral Skills Model: Tackling cyberaggression and cyberbullying in South African adolescents. Reducing Cyberbullying in Schools: International Evidence-Based Best Practices, 225
Powell, J. (2018). An introduction to systems theory: from hard to soft systems thinking in the management of complex organizations. Complexity and Healthcare Organization. CRC Press
Puhakainen, P. & Siponen, M. (2010). Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly, 34, 757–778. doi:10.2307/25750704
Raineri, N. & Paillé, P. (2016). Linking corporate policy and supervisory support with environmental citizenship behaviors: The role of employee environmental beliefs and commitment. Journal of Business Ethics, 137, 129-148. doi:10.1007/s10551-015-2548-x
Ramus, C. & Steger, U. (2000). The roles of supervisory support behaviors and environmental policy in employee "Ecoinitiatives" at leading-Eege European companies. Academy of Management Journal, 43, 605. doi:10.2307/1556357
Rhee, H.-S., Kim, C. & Ryu, Y. U. (2009). Self-efficacy in information security: Its influence on end users' information security practice behavior. Computers & Security, 28, 816-826. doi:10.1016/j.cose.2009.05.008
Rocha Flores, W., Antonsen, E. & Ekstedt, M. (2014). Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture. Computers & Security, 43, 90-110. doi:10.1016/j.cose.2014.03.004
Safa, N. S. & Von Solms, R. (2016). An information security knowledge sharing model in organizations. Computers in Human Behavior, 57, 442-451. doi: 10.1016/j.chb.2015.12.037
Safa, N. S., Von Solms, R. & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70-82. doi:10.1016/j.cose.2015.10.006
Schlienger, T. & Teufel, S. (2002). Information security culture. Security in the Information Society. Springer
Shafiq, M., Zia-ur-Rehman, D. M. & Rashid, M. (2013). Impact of compensation, training and development and supervisory support on organizational commitment. Compensation & Benefits Review, 45, 278-285. doi:10.1177/0886368713515965
Sindiren, E. & Ciylan, B. (2018). Privileged account management approach for preventing insider attacks. International Journal of Computer Science and Network Security, 18, 33-42
Sommestad, T., Hallberg, J., Lundholm, K. & Bengtsson, J. (2014). Variables influencing information security policy compliance: A systematic review of quantitative studies. Information Management & Computer Security, 22, 42–75. doi:10.1108/IMCS-08-2012-0045
Sommestad, T., Karlzén, H. & Hallberg, J. (2015). The sufficiency of the theory of planned behavior for explaining information security policy compliance. Information and Computer Security, 23, 200-217. doi:10.1108/ICS-04-2014-0025
Tamjidyamcholo, A., Bin Baba, M. S., Tamjid, H. & Gholipour, R. (2013). Information security – Professional perceptions of knowledge-sharing intention under self-efficacy, trust, reciprocity, and shared-language. Computers & Education, 68, 223-232. doi:10.1016/j.compedu.2013.05.010
Tamjidyamcholo, A., Bin Baba, M. S., Shuib, N. L. & Rohani, V. A. (2014). Evaluation model for knowledge sharing in information security professional virtual community. Computers & Security, 43, 19-34. doi:10.1016/j.cose.2014.02.010
Torres, H. G. & Gupta, S. (2018). The Misunderstood Link: Information Security Training Strategy
Wang, S. & Noe, R. A. (2010). Knowledge sharing: A review and directions for future research. Human Resource Management Review, 20, 115-131. doi:10.1016/j.hrmr.2009.10.001
Warkentin, M., Johnston, A. C. & Shropshire, J. (2011). The influence of the informal social learning environment on information privacy policy compliance efficacy and intention. European Journal of Information Systems, 20, 267-284. doi:10.1057/ejis.2010.72
Wasko, M. M. & Faraj, S. (2000). “It is what one does”: why people participate and help others in electronic communities of practice. The Journal of Strategic Information Systems, 9, 155-173. doi: 10.1016/S0963-8687(00)00045-7
Willems, C. & Meinel, C.(2012) Online assessment for hands-on cyber security training in a virtual lab. Global Engineering Education Conference (EDUCON), 2012 IEEE, 1-10
Willison, R., Warkentin, M. & Johnston, A. C. (2018). Examining employee computer abuse intentions: insights from justice, deterrence and neutralization perspectives. Information Systems Journal, 28, 266-293. doi:10.1111/isj.12129
Yang, J.-T. (2009). Individual attitudes to learning and sharing individual and organisational knowledge in the hospitality industry. The Service Industries Journal, 29, 1723-1743. doi:10.1080/02642060902793490
Zhang, S. & Costa, S. (2018). Mobile phone usage patterns, security concerns, and security practices of digital generation. International Journal of Mobile Human Computer Interaction (IJMHCI), 10, 23-39.
Zhang, X., Pablos, P. O. d. & Zhou, Z. (2012). Effect of knowledge sharing visibility on incentive-based relationship in Electronic Knowledge Management Systems: An empirical investigation. Computers in Human Behavior, 29, 307-313. doi:10.1016/j.chb.2012.01.029
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2021 Hiep Cong Pham, Irfan Ulhaq, Minh Nguyen, Mathews Nkhoma
This work is licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
AJIS publishes open-access articles distributed under the terms of a Creative Commons Non-Commercial and Attribution License which permits non-commercial use, distribution, and reproduction in any medium, provided the original author and AJIS are credited. All other rights including granting permissions beyond those in the above license remain the property of the author(s).