Information Security Behavioral Model: Towards Employees’ Knowledge and Attitude

Abstract

Information Security has become a significant concern for today's organizations. The internal security threats acts as the most curtail type of security threat within an organization. These internal security threats are a result of poor conduct of security behavior by the employees within an organization. If not deal properly, it may hamper the auditing of organization. Auditing plays an important role in the business environment. Before conducting auditing it is essential to examine the behavioral aspect of the employees. The objective of this paper is to take out this internal threat that acts as a security slack, out of an organization by using a well-structured approach to develop a security behavior model. To validate the proposed model a survey method is used. The survey method measures the knowledge and attitude of an individual employee towards information security to analyze the behavioral security aspect of the employee's. Statistical Analysis of the result of survey indicates that the employees' knowledge and his attitude towards information security derive his behavior towards achieving ultimate organizational goal and thus validates the proposed security model. 1. Introduction Information Security at the organizational level aims at securing the information asset and other assets of the organization from threats that may exploit the vulnerabilities and get access to the assets of the organization. The various domains of information security in an organization that are often talked about are : Physical (environmental) security , legal regulatory ,investigation & compliance, business continuity and disaster recovery, operations security, cryptography, software development security, Information Security Governance and Risk management , Telecommunication & Network security and Access Control. Although it's known than an employee for an organization is the most important asset to the organization, yet discussing it as a separate domain (BehavioralSecurity) has yet not gained its importance. This paper discusses about the behavioral security domain, by analyzing the two important aspects of an individual that he/she imparts to the organization: Knowledge and Attitude. It further discusses on how this behavioral security ultimately leads to the organizational security and thus aligns with the organizational goal. Conducting a performance appraisal of an employee is a task of challenge for an organization. True assessment of performance becomes a mere factor of chance if proper inputs are not taken into consideration. The problem occurs when various factors negatively influence and effect the performance appraisal. Thus the performance appraisal varies depending upon an individual's situational factors. For example, personnel factors of an employee such as his mood, his desires, his fitness in terms of health, his perception, all affect the final outcome. Similarly the personalfactors of the evaluator such as his mood, his dislike for the employee, will affect the final outcome. All these factors at some or the other point becomes a hindrance in evaluating the performance appraisal of an employee and thus influence the accuracy of the measurement. It can be argued that the problem discussed hear is similar to auditing an employee's behavior. It can be considered as an initial step or a step that needs to be performed just before putting our hands into an information security Audit of an enterprise. Since all organizations whether profit or nonprofit has employees at the very micro level, and employee is not machinery. Human mind is rational and cannot be taken for granted. Thus working on employees' behavior and getting a unique and ideal model to audit behavioral