Open access repository

Home Open access repository

In 2014, we launched our open-access repository which offers full text access to conference proceedings from many of our events including the INC and HAISA series. These papers are free to access and distribute (subject to citing the source).

» Openaccess proceedings » Eleventh International Symposium on Human Aspects of Information Security & Assurance (HAISA 2017)

Eleventh International Symposium on Human Aspects of Information Security & Assurance (HAISA 2017)

Eleventh International Symposium on Human Aspects of Information Security & Assurance (HAISA 2017)
Adelaide, Australia, November 28-30, 2017
ISBN: 978-1-84102-428-8

Title: What Do They Really Think? Overcoming Social Acceptability Bias in Information Security Research
Author(s): Debi Ashenden
Reference: pp251-260
Keywords: Information security; attitudes; personal construct psychology; social acceptability bias
Abstract: The aim of this study was to better understand employee attitudes towards information security in an organisational setting and to trial Personal Construct Psychology (PCP) and repertory grids as a way of getting beyond social acceptability bias in information security research. Data collection consisted of eleven interviews and a survey with 115 employee responses. The results of the interviews identified a number of themes around individual responsibility for information security and the ability of individuals to contribute to information security; the value of corporate information; attitudes within the organisation towards protecting information; the culture of the organisation and its impact on information security, and risk perceptions. The survey demonstrated that those employees who thought the organisation was driven by the need to protect information also thought that the risks were overstated and that their colleagues were overly cautious. Conversely, employees who thought that the organisation was driven by the need to optimise its use of information felt that the security risks were justified and that colleagues took too many risks. Individually, those employees who believed that they had a personal responsibility to ensure information security thought that the risks were valid and justified and those who believed that information security specialists took care of the organisation’s information believed that the risks were overstated. The study surfaced a number of tensions in the organisational culture around information security that need to be addressed.


Download count: 502

How to get this paper:

Download a free PDF copy of this paperBuy this book at Lulu.com

PDF copy of this paper is free to download. You may distribute this copy providing you cite this page as the source.