Information Security at the organizational level aims at securing the information asset and other assets of the organization from threats that may exploit the vulnerabilities and get access to the assets of the organization. The various domains of information security in an organization that are often talked about are : Physical (environmental ) security , legal regulatory ,investigation & compliance , business continuity and disaster recovery , operations security , cryptography, software development security , Information Security Governance and Risk management , Telecommunication & Network security and Access Control. Although it's known than an employee for an organization is the most important asset to the organization, yet discussing it as a separate domain (Behavioral Security) has yet not gained its importance.
This paper discusses about the behavioral security domain, by analyzing the two important aspects of an individual that he/she imparts to the organization: Knowledge and Attitude.
It further discusses on how this behavioral security ultimately leads to the organizational security and thus aligns with the organizational goal.
Conducting a performance appraisal of an employee is a task of challenge for an organization. True assessment of performance becomes a mere factor of chance if proper inputs are not taken into consideration. The problem occurs when various factors negatively influence and effect the performance appraisal. Thus the performance appraisal varies depending upon an individual's situational factors .For example, personnel factors of an employee such as his mood, his desires, his fitness in terms of health, his perception, all affect the final outcome. Similarly the personal factors of the evaluator such as his mood, his dislike for the employee, will affect the final outcome. All these factors at some or the other point becomes a hindrance in evaluating the performance appraisal of an employee and thus influence the accuracy of the measurement.
It can be argued that the problem discussed hear is similar to auditing an employee's behavior. It can be considered as an initial step or a step that needs to be performed just before putting our hands into an information security Audit of an enterprise.
Since all organizations whether profit or nonprofit has employees at the very micro level, and employee is not machinery. Human mind is rational and cannot be taken for granted. Thus working on employees' behavior and getting a unique and ideal model to audit behavioral security is not a formula based approach and varies depending upon the varying constraints.
The best approach that can be considered is the one that fits into a general working environment of any organization, i.e. the organizational structural approach.
' The most valuable item that an organisation owns is its critical data. Security has
moved from managing devices to managing data.
' People are the weakest link in the security profile of any company. In general they
are not incentivised to be security-aware.
Therefore, before Information Security Audit is conducted, it is essential that the behavioral security audit of employees is performed so that the security audit practices may not go in vein.
' 79% of participants cite the human factor as the root cause of information security failure.
2008 Global Security Survey - Deloitte Touche Tohmatsu
' Since early 2005, more than 200 million personal records have been exposed.
Privacy Rights Clearinghouse, A Chronology of Data
Breaches, April, 2008
The security is the most important assets in the organisation are dependent
on the weakest link in the organisation i.e. 'employee'.
' People are organization's most important asset.
' 'The organization is above all social. It is people.' - Peter Drucker
' 'People are the key' ' Sam Walton, the founder of Wal-Mart and the richest person in the world when he died
' Using a 'well-structured organizational' approach to develop a Security Behavior model.
' To validate the proposed model using a 'survey of employees' .
' Statistical Analysis of the result of survey.
1.3. PROBLEM DEFINITION
Information security is one of many requirements in the working day of employees
and employers. Besnard and Arief(2004) have argued that users probably will
overlook security if this allows them to ease their work when information security tasks are felt to inhibit the completion of their work tasks. Wilde's (1982) risk homeostasis theory explains such individual safety trade-offs by the person's risk perception and her
risk acceptance criteria, i.e. people adjust their behavior in order to balance individual perceived and acceptable risk. Perceived and acceptable risk is influenced by a wide range of psychological and contextual factors. Slavic (2000) shows that risk is subjectively decided by individuals who may be influenced by a wide range of psychological, social, institutional and cultural factors. Cultural and organizational factors (e.g. Douglas and Wildavsky, 1982) are important for understanding risk behavior. Risk related to information systems is one of today's produced uncertainties contributing to Beck's (1992) characteristic of a risk society. Consequently, macro sociological factors are also important for understanding risk perception and behavior. Thus considering these factors it's required to get a detailed analysis for the following problems:
' How do users experience their own information security role and the administrative information security measures in their work processes?
' Why do users experience the information security work the way they state?
' Are there arguments in the users' views on information security that imply alternative approaches to information security management at the studied companies?
So a detailed analysis for finding solutions to:
' Problem in conducting Behavioral Security.
' Conducting a performance appraisal of an employee.
' Auditing an employee's behavior.
2. Literature Review
Security risks associated with information technology are a topic that has become increasingly significant. As corporations rely ever more on technology to run their businesses, security is becoming a major concern rather than an afterthought.
The CERT Co-ordination Center at Carnegie Mellon University has reported that security incidents, reported security attacks that may involve one site or thousands of sites, have increased by 68% from 2003 to 2004 (CERT/CC, 2004). Whilst information security generally focuses on protecting the confidentiality, integrity and availability of information, information security awareness deals with the use of security awareness
programs to create and maintain security- positive behavior as a critical element in an effective information security environment. According to Hansche (2001:p. 14) the goal of a security awareness program is to heighten the importance of information systems security and the possible negative effects of a security breach or failure. The Information
Security Forum (ISF, 2003) defines information security awareness as the degree or extent to which every member of staff understands the importance of information security, the levels of information security appropriate to the organization, their individual security responsibilities, and acts accordingly.
The effective management of information security requires a combination of technical and procedural controls to manage information risk. The value of controls usually depends on the people implementing and using them and in information security that is no different. Controls can be circumvented or abused by employees who ignore security
policies and procedures. The implementation of effective security controls is thus dependent upon the creation of a security positive environment, where everyone understands and engages in the behaviors that are expected of them.
3. PROPOSED MODEL
An organization is a system with several subsystems where people work together in a coordinated manner to achieve the goals of the institution. To obtain synergy, there should be division of labor as well as coordination of activities and efforts . The structure of an organization could take different forms, determined in part by the overall strategy developed to achieve its goals. However at a very granular level an organizational structure can be classified into a number of processes running to in parallel to achieve the ultimate organizational goal. Processes are classified based on a set of activities to be performed together in coordination to achieve required output. Thus there exist various processes in an organization. Each of these processes are controlled and managed by a group leader. Under each leader there exist a number of individual employees.
This implies that there are cascade of goals in an organization that are to be achieved to ultimately get the business level goal that relates to the organizational goal. Thus there are departmental goals that are achieved via number of process level goals at a divisional level. These processes are performed under the supervision of a leader that acts at the regional level.
Thus the leader works to attain the team level goal. Within each team there are individuals who work together at individual level to attain the team goal. These individuals work to achieve the individual goal as per the need and task being assigned to them by their leader. Thus in this way connectivity exist at various levels: individual, regional, divisional, business with the ultimate objective of achieving the organizational goal. This structure can be described as follows:
Individuals' behavior plays a very important role in an organization. To take into consideration an individual's behavior two important factors that are considered are: Attitude and knowledge, Figure 2.
Attitudes denote our positive and negative responses to people, events, and objects and are influenced by the values held by individuals and their sense of right and wrong .
Attitude is something that is not developed in a day. Every individual has some inner values and beliefs that they develop with time. As we grow we watch the people around us behaving in a particular way; we are being told to cherish certain things over others that we learn from our teachers and peers. We come to value certain things over other, thus forming our value system. These in turn gives rise to development of our attitudes.
Just as values influence attitudes, attitudes influence behavior .
Here we are concerned with the behavioral aspect of attitude because it is behavioral part of attitude that actually governs the end outcome as per the organization model discussed in this paper. It is the behavioral component of attitude that will translate one's desire into actions. Thus behavioral component of attitude falls into two groups:
' An individuals' understanding of what attitude is expected from them in the company.
' An individual's willingness to constrain their attitude to follow the accepted and approved norms.
Knowledge is defined as the facts, information, and skills acquired through experience or education. The knowledge that an individual employee has concerning information security with respect to the organization in which they work is very important. At some or the other level every individual employee in an organization needs to take a security decision. Sometimes these decisions are taken in a non-critical situation where a bit of deviation from the ideal decisions can be tolerated whereas certain decisions need to be taken in a critical or sensitive situation. In such a situation the user has to make an instant decision about what needs to be domain particular circumstances. Such instances where an immediate decision is required by an individual employee, is where the knowledge factor of an individual becomes an important constraint for the end result or outcome. This knowledge factor is attained by one's learning capability as well as ones' past experience that is based on the previous security decisions taken over a period of time.
Here it must be noted that knowledge is too vast and an individual's knowledge may not always lead to a correct security decision for every situation an individual may encounter. However it should, at a minimum be aligned with the organizational policies and procedures, so that information, which is a crucial component of knowledge, is managed securely. Hence an individual cannot avoid making their own security decisions as part of their daily task.
The use of knowledge of an individual in an organization affects discretionary behavior and thus helps to avoid causing offence or revealing confidential information. It also provides an individual the freedom to decide what should be done in a particular situation.
When the attitude and knowledge of an individual employee in an organization combines it gives rise to individual's behavior.
The research model proposes that user knowledge and his attitude together acts as input to an individual's behavior. When such behavioral approach combines it gives rise to a group behavior and reflects an important constraint towards achieving a successful process, Figure 2.
Process level Security
Various individual's behavior at the individual level combines to give rise to process level security. Thus a combination of individual employee's behavior and their leader's behavior at a particular process level is responsible for the completion of a process within an organization.
At a very granular level an individual's behavior towards an organization may appear to be a small thing. But when behavior of a group of individual employees, working together for a specific outcome, is seen, it affects the process they this gives raise to the process behavior. This process behavior is controlled by a leader. To attain the end level business goal that relates to the organizational goal it is required that the divisional level goals must be attained. This is possible only if the various processes at various divisional levels fulfill their specific requirements and process behaviors are up to mark. Combining these process behaviors gives rise to process level security, when taking into consideration the behavioral aspect of information security, Figure 3.
As discussed above, overall organizational level security requires various domains of security, like physical security, network security, etc., to be in position but organizational level security also requires are working for.
This behavioral level security is most important because it cannot be even measured or audited and if not taken into consideration it can lead to undesirable behavior of employees' and thus chaos and non-fulfillment of the organizational goal. The Figure 4 represents the Information Security Behavioral Model, as follows:
To test the research model, a survey was conducted among 50 randomly selected employees' in an organization. The survey was questionnaire-based. This self-report survey question format has been an effective method for drawing and eliciting behavioral responses . In the survey conducted for the study, three optional choices where provided: true, false, do not know. The survey questions included content relating to common information security issues and their solutions, such as viruses and anti-virus protection, firewall, web security, password security . For each of the two constructs five questions were grouped which are the input to an individual's behavior in an organization: knowledge (affecting discretionary behavior) and attitude (behavioral component).
Voluntary participation of the employees' was taken and out of the total 60 distributed survey questionnaire 55 responses were received. From this data received 5 responses were deleted for missing data. A final of 50 responses were received. 
5. FINDING & DISCUSSION
In this paper SPSS version 16.0 for windows was used for statistical analysis of the initial inputs to an individual's behavior i.e. knowledge and attitude. For analysis of internal consistency reliability, the Cronbach's Alpha coefficient measurement method has been used. For this coefficient values over 0.9 indicate excellent internal consistency reliability,
The Cronbach's Alpha value for the two construct items in this study are 0.9. Therefore, the measures used in this study are considered to have excellent internal consistency reliability.
Further the Pearson correlation results shown in Figure6 also support the research model discussed above. As shown in the resultant correlations matrix in Figure 6an employees' attitude and knowledge towards using information security solutions both combines to give a behavioral security aspect. When the attitude is negative, for example, if there is conflict between individuals' values and company's values tension can arise.
It's very often that people will not bear the tension for long time, and they will either change or modify principles or they may even leave the company .
Thus the impact will be on the processes they are involved in and ultimately the resulting behavioral security will affect the organizational goal. Similarly if the knowledge has a negative impact, for example, due to inconsistencies between formal statements that are made my senior management and what actually a person experiences in practice around them, people will be guided more by what they see than by what they are told, then in such a case there will be lot of irregularities and will affect the behavioral security aspect of the individual as well as the process security will be affected and thus will have a negative impact on achieving the organizational goal.
The positive correlations are quite strong as shown in the coefficient values. Thus, the result has validated the research model for information security behavioral aspects proposed in this study .
This study focuses on the relationship between an individual employee's knowledge and attitude in the domain of information security to give rise to his behavior towards the organization and thus providing a link on how such behavioral security aspect of every individual in an organization affects the alignment of various processes at the departmental level and thus affects overall business level goal of the organization.
From the findings it is validated that the attitude and knowledge reflects an individual's behavior towards adopting and using information security solutions and should be considered as an initial step before going for actual auditing.
6.2 SCOPE OF FUTURE WORK
Of the various influential factors, we have focused on three that are key. A company can maximize its leverage from these three if it:
? Makes sure that the behavior of senior management and the company's systems support rather than contradict the Body of Knowledge;
? Strengthens the users' security common sense and trains staff to develop good security decision making skills;
? Makes sure that senior management is seen to be taking security seriously and demonstrates that good security behavior is important to the way the company operates.