THE SECURITY INFORMATION POLICIES AND THE EMPLOYEES IN THE SOFTWARE SECTOR: AN EMPIRICAL STUDY IN MEXICO

Juan Mejía Trejo, José Sánchez Gutiérrez, Guillermo Vázquez Ávila

Resumen


This study is aimed to discover the reasons for the employees to accept or not the Security Information Policies implemented in their organizations (SIPC), in México. FiveFactors are considered: Attitude (ATT); Self Efficacy (SEF); Information Perceptions (IFP); Rewards (REW) and Penalties (PNY) with 21 Variables as indicators. A questionnaire was designed and applied to 195 employees involved in  the SME Software Sector in Guadalajara (SSG) México that conform the value chain, including: designers, manufacturers and suppliers; the confidence was measured with Cronbach’s Alpha (.87) and it was applied Structural Equations Modelling (SEM) to discover the 3 SIPC underlying variables in the mode The organizations must be aware about these results, because a great percentage of the attacks are originated from inside by an or few employees who consciously (or not) are not following the procedures and standards that the policies described.


Palabras clave


Security Information Policies, Employees, Software Sector in México.

Texto completo:

PDF

Referencias


Beautement, A.; Sasse, M.; Wonham, M. (2004). The Compliance Budget: Managing Security Behaviour in Organisations. Proceeding of the 2008 workshop on New security paradigms p. 47-58. ACM Digital Library. Retrieved 20150304 from: http://dl.acm.org/citation.cfm?id=1595684. doi>10.1145/1595676.1595684

Beaver, K. (2010). Security Policy Oversights and Mistakes We Keep Making. Principle Logic. Information Security Policies. Retrieved 20150504 from: http://www.principlelogic.com/policies.html

Blanke, S. (2008). A study of the Contributions of Attitude, Computer Security Policy Awareness and Computer Self-Efficacy to the Employee’s Computer Abuse Intention in Business Environments. Doctoral Dissertation. ACM Digital Library Retrieved 20150504 from: http://dl.acm.org/citation.cfm?id=1571475

Clay, H. (1995). Introducción a la Psicología Social. 3rd Ed. México: Trillas.

Corbitt, T. (2002). Protect your computer system with a security policy. Management Services;

May. 46 (5), p.20. Ebsco Host. Retrieved 20150504 from:

http://connection.ebscohost.com/c/articles/12144933/protect-your-computer-system-security-policy

Martínez-Bravo, C.; Mejía-Trejo, J. (2011) Acceptance Level Factors for Security Policies Compliance on Employees. Proceedings of 2011 IEEE International Conference on Information Theory and Information Security. p.398-403

Feruza, S. (2008) Advanced Security Policy Implementation for Information Systems.

Ubiquitous Multimedia Computing, 2008. UMC '08. International Symposium. p. 244-247. IEEExplore Digital Library . Retrieved 20150504 from:

http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=4656553.DOI: 10.1109/UMC.2008.56

Hagen J.M.(2009) Human Relationships. A Never-Ending Security Education Challenge?.

IEEE Security & Privacy 7(4):65-67. Retrieved 20150214 from:http://www.bibsonomy.org/bibtexkey/journals%2Fieeesp%2FHagen09/dblp

Herath, T.; Raghav H. (2009). Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems. 18, p. 106–125. Retrieved 20150624 from: http://www.palgrave-journals.com/ejis/journal/v18/n2/abs/ejis20096a.html. DOI:10.1057/

Hernández, R.; Fernández, C.; Baptista, P. (2008) Metodología de la Investigación. 4th Ed. México: Mc Graw Hill.

Hu, Q.; Hart, P.; Cooke, D. (2006) The Role of External Influences on Organisational Information Security Practices: An Institutional Perspective. System Sciences, 2006. HICSS '06. Proceedings of the 39th Annual Hawaii International Conference. Vol.6. Retrieved 20150624 from:

http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=1579545&url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F10548%2F33366%2F01579545.

DOI: 10.1109/HICSS.2006.481

Januszkiewicz, P. (2007) Designing a Security Policy According to BS 7799 Using the OCTAVE Methodology. Conference: Availability, Reliability and Security, 2007. ARES 2007. The Second International Conference. IEEExplore Digital Library. . Retrieved 20150624 from: http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=4159867.

DOI: 10.1109/ARES.2007.69

Katz, D. (1999) Psicología Social de las Organizaciones. 2nd Ed. México: Trillas.

Madigan, E.; Petrulich, C.; Motuk, K.(2004). The Cost of NonCompliance (2004). When Polices Fail. Proceeding SIGUCCS '04 of the 32nd annual ACM SIGUCCS conference on User services, p. 47-51 .ACM Digital Library. Retrieved 20150624 from: http://dl.acm.org/citation.cfm?id=1027815 .DOI: 10.1145/1027802.1027815

Malcolmson, J. (2009). What is Security Culture? Does it differ in content from general Organisational Culture?. Proceeding Security Technology, 2009. 43rd Annual 2009 International Carnahan Conference. IEEExplore Digital Library. Retrieved 20150417 from: http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5335511&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5335511.

DOI: 10.1109/CCST.2009.5335511

Morris, C.; Maisto, A. (2005) Introducción a la Psicología. 12th Ed. México: Pearson/Prentice

Hall, p. 154-155.

Münch, L.; Ángeles, E. (2005). Métodos y Técnicas de Investigación. Ed. Trillas.

Pahnila, S.; Siponen, M.; Mahmood, A. (2007) Employee’s Behavior towards IS Security Policy Compliance. Proceedings System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference. IEEEXplore Digital Library. Retrieved 20150417 from:

http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=4076692&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D4076692. DOI: 10.1109/HICSS.2007.206

Lehtinen,,R.; Gangemi, G.T. (2006). Computer Security Basics. USA: O'Reilly Media.

Siponen, M.; Mahmood, A.; Pahnila, S. (2009) Are employees putting your company at risk by

not following information security policies?. Communications of the ACM, 52 (12), p.145-147. Retrieved 20150417 from:

http://cacm.acm.org/magazines/2009/12/52818-are-employees-putting-your-company-at-risk-by-not-following-information-security-policies/abstract.

DOI: 10.15/1610252.1610289

Siponen, M.; Pahnila, S.; Mahmood, A.(2006) Factors Influencing Protection Motivation and IS Security Policy Compliance. Proceedings of Innovations in Information Technology, 2006.IEEExplore Digital Library. Retrieved 20150623 from:

http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=4085422&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D4085422. DOI: 10.1109/INNOVATIONS.2006.301907

Siponen, M.; Pahnila, S.; Mahmood, A.(2010) Compliance with Information Security Policies: An Empirical Investigation. Computer 43(2). IEEExplore Digital Library. Retrieved 20150523 from:

http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5410711&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5410711. DOI: 10.1109/MC.2010.35

Smith, M. (2006) The Importance of Employee Awareness to Information Security. Proceedings Crime and Security, 2006. The Institution of Engineering and Technology Conference. ). IEEExplore Digital Library. Retrieved 20150623 from:

http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=4123749&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D4123749.

Tripton, H.; Krause, M.(2006). Information Security Management Handbook. 6th. Ed. Nueva

York: Auerbach Publications, p. 378, 465, 499, 645,

Whitman, M.; Mattord, H.(2007). Principles of Information Security. 3thd. Ed. Boston: Course

Technology, p. 389.

Wilmot, D. (1987). Management Undervalues Employee Potential. Communication World. 4(12)

INEGI (2014). Instituto Nacional de Estadística y Geografía Sistema de Consulta de los Censos Económicos 2014, México. Retrieved 20150222 from: http://www.inegi.org.mx/

About EQS 6.1

Bentler , P.M. & Wu,E.J.C. EQS 6.1(2012). Structural Equations Program Manual; June 20 CA: Multivariate Software Inc.

Brown, T. A. (2006). Confirmatory Factor Analysis for Applied Research. New York, The Guilford Press.

Byrne, B. M. (2006) Structural Equation Modeling With EQS.Basic concepts, applications, and programming. London, LEA Publishers.

Bagozzi, R.P.& Yi, Y. (1988). On the evaluation of structural equation models. Journal of the Academy of Marketing Science. 16 (1): p.74-94

Hair, J. , Black, W. & Babin, B.(2010). Multivariate Data Analysis 7th ed. New Jersey. Prentice Hall.

Fornell, Cl. & Larcker, D. F. (1981) Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research,

(2).p. 39-50.

Bentler, P.M.& Bonnet, D. (1980) Significance tests and goodness of fit in analysis of covariance structures, Psychological Bulletin, Sep-Dec. (88). P 588-606.

Bentler, P.M. (1990) Comparative fit indexes in structural models. Psychological Bulletin. 107(2). p. 238-246.

Anderson , J.,C. & Gerbing, D.,W. (1988). Structural equation modeling in practice: a review and recommended two-step approach. Psychological Bulletin. 1(3).p. 411-423.

Chau, P. (1997). Reexamining a model for evaluating information center success using a structural equation modeling approach. Decision Sciences. 28(2). P. 309-334

Heck, R.H. (1998) Factor analysis: exploratory and confirmatory approaches in Marcoulides, G.A. (Ed.). Modern Methods for Business Research. Mahwah, NJ Lawrence Erlbaum Associates.

Hatcher, L. (1994) A Step by Step Approach to Using the SAS System for Factor Analysis and Structural Equation Modeling. USA. Cary, NC: SAS Institute Inc


Enlaces refback

  • No hay ningún enlace refback.


Licencia de Creative Commons
Este obra está bajo una licencia de Creative Commons Reconocimiento-NoComercial 4.0 Internacional.