Risk homeostasis and security fatigue: a case study of data specialists

IF 1.6 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Computer Security Pub Date : 2023-02-09 DOI:10.1108/ics-11-2022-0172

Anusha Bhana, Jacques Ophoff

{"title":"Risk homeostasis and security fatigue: a case study of data specialists","authors":"Anusha Bhana, Jacques Ophoff","doi":"10.1108/ics-11-2022-0172","DOIUrl":null,"url":null,"abstract":"Purpose Organisations use a variety of technical, formal and informal security controls but also rely on employees to safeguard information assets. This relies heavily on compliance and constantly challenges employees to manage security-related risks. The purpose of this research is to explore the homeostatic mechanism proposed by risk homeostasis theory (RHT), as well as security fatigue, in an organisational context. Design/methodology/approach A case study approach was used to investigate the topic, focusing on data specialists who regularly work with sensitive information assets. Primary data was collected through semi-structured interviews with 12 data specialists in a large financial services company. Findings A thematic analysis of the data revealed risk perceptions, behavioural adjustments and indicators of security fatigue. The findings provide examples of how these concepts manifest in practice and confirm the relevance of RHT in the security domain. Originality/value This research illuminates homeostatic mechanisms in an organisational security context. It also illustrates links with security fatigue and how this could further impact risk. Examples and indicators of security fatigue can assist organisations with risk management, creating “employee-friendly” policies and procedures, choosing appropriate technical security solutions and tailoring security education, training and awareness activities.","PeriodicalId":45298,"journal":{"name":"Information and Computer Security","volume":"4 1","pages":"0"},"PeriodicalIF":1.6000,"publicationDate":"2023-02-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Computer Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1108/ics-11-2022-0172","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Purpose Organisations use a variety of technical, formal and informal security controls but also rely on employees to safeguard information assets. This relies heavily on compliance and constantly challenges employees to manage security-related risks. The purpose of this research is to explore the homeostatic mechanism proposed by risk homeostasis theory (RHT), as well as security fatigue, in an organisational context. Design/methodology/approach A case study approach was used to investigate the topic, focusing on data specialists who regularly work with sensitive information assets. Primary data was collected through semi-structured interviews with 12 data specialists in a large financial services company. Findings A thematic analysis of the data revealed risk perceptions, behavioural adjustments and indicators of security fatigue. The findings provide examples of how these concepts manifest in practice and confirm the relevance of RHT in the security domain. Originality/value This research illuminates homeostatic mechanisms in an organisational security context. It also illustrates links with security fatigue and how this could further impact risk. Examples and indicators of security fatigue can assist organisations with risk management, creating “employee-friendly” policies and procedures, choosing appropriate technical security solutions and tailoring security education, training and awareness activities.

查看原文本刊更多论文

风险稳态和安全疲劳:数据专家的案例研究

组织使用各种技术、正式和非正式的安全控制，但也依靠员工来保护信息资产。这在很大程度上依赖于合规性，并不断挑战员工管理与安全相关的风险。本研究的目的是探讨由风险稳态理论(RHT)提出的稳态机制，以及安全疲劳，在组织背景下。设计/方法/方法采用案例研究方法调查该主题，重点关注经常处理敏感信息资产的数据专家。主要数据是通过对一家大型金融服务公司的12位数据专家的半结构化访谈收集的。对数据的专题分析揭示了风险认知、行为调整和安全疲劳指标。这些发现提供了这些概念如何在实践中体现的示例，并确认了RHT在安全领域中的相关性。原创性/价值本研究阐明了组织安全背景下的稳态机制。它还说明了与安全疲劳的联系，以及这可能如何进一步影响风险。安全疲劳的例子和指标可以帮助组织进行风险管理，制定“员工友好”的政策和程序，选择适当的技术安全解决方案，以及定制安全教育、培训和意识活动。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Information and Computer Security COMPUTER SCIENCE, INFORMATION SYSTEMS-

CiteScore

4.60

自引率

7.10%

发文量

期刊介绍： Information and Computer Security (ICS) contributes to the advance of knowledge directly related to the theory and practice of the management and security of information and information systems. It publishes research and case study papers relating to new technologies, methodological developments, empirical studies and practical applications. The journal welcomes papers addressing research and case studies in relation to many aspects of information and computer security. Topics of interest include, but are not limited to, the following: Information security management, standards and policies Security governance and compliance Risk assessment and modelling Security awareness, education and culture User perceptions and understanding of security Misuse and abuse of computer systems User-facing security technologies Internet security and privacy The journal is particularly interested in receiving submissions that consider the business and organisational aspects of security, and welcomes papers from both human and technical perspective on the topic. However, please note we do not look to solicit papers relating to the underlying mechanisms and functions of security methods such as cryptography (although relevant applications of the technology may be considered).