The issues researched in behavioral

The issues researched in behavioral domain of
information systems security such as values,
attitudes, beliefs, and norms influencing an
individual employee, are more pertinent to the
informal level of security in an organization.
Dealing with individual level phenomenon,
behavioral information systems security uses a
variety of evaluation approaches and a wide range
of problems. The complexity of the problems
studied in this domain leads to solutions that are
more descriptive than prescriptive in nature.
Understanding the intentions and motivations of
individual behavior, cannot be easily generalized to
form the common denominator of behavior. Hence,
the findings at this level need to be effectively
implemented through other levels (i.e. formal and
technical).
2.3 Information systems security governance
Moulton and Coles [28] define information systems
security governance as “the establishment and
maintenance of the control environment to manage
the risks relating to the confidentiality, integrity and
availability of information and its supporting
processes and systems”. This definition does not
include audit processes, security operational details
and development of security artifacts for meeting
security objectives. Role of human actors and issues
relating to management of people in the
organization is not emphasized in popular
definitions of information systems security
governance. In behavioral aspects of security
governance, emphasis should be on managing
people who enact the security solutions thus
becoming inevitable part of security process itself.
By creating responsibility and accountability in
structures, management ensures that employees
align their personal value system with those of the
organization.
Development of proper security policies for risk
mitigation is also a part of security governance
effort. Communication of these policies is equally
important as having useful policies [44] because the
commitment and seriousness of management
regarding security of assets is conveyed through
policies. Ownership of systems and security
methods is encouraged. Accountability on part of
top management is crucial for effective security
governance practices [44] and becomes more
compelling in regulatory compliances era. Based on
the “fried egg” analogy, figure 1 presents the
cyclical nature of information systems security
governance at all three levels:
Formal: Institutionalization of security governance
practices by management. These efforts include
creation of security policies, procedures, assessment
of internal controls, encouraging group behavior,
leadership style and strong measures against nonconformity
and deviant behavior.
Informal: Reinforcement of security practices by
taking into account normative controls, creating
security conscious culture, prevalent norms,
individual believes and personal values.
Technical: Enactment of the formal governance
practices through stringent rules, procedures,
operational details, monitoring, and feedbacks.