Date of Award
Doctor of Philosophy in Information Systems (DISS)
Graduate School of Computer and Information Sciences
Work systems are comprised of the technical and social systems that should harmoniously work together to ensure a successful attainment of organizational goals and objectives. Information security controls are often designed to protect the information system and seldom consider the work system design. Using a positivist case study, this research examines the user's perception of having to choose between completing job tasks or remaining compliant with information security controls. An understanding of this phenomenon can help mitigate the risk associated with an information system security user's choice. Most previous research fails to consider the work system perspective on this issue. This study is based on the socio-technical system theory, the Leavitt Diamond Model (1965). Using this model as a lens to examine user information security behavior and perspectives, the Synergistic Security Model was developed. The research data indicated that the relationships between the structure, technology, task and people constructs can have an impact on user information security behavior. The research found that a change in the organization's information security policies, technology, or a change in employee processes for task completion can impact a user's information security choice. Some of the information security situations found in the research could be easily changed to lower the risk of a user's choice to circumvent information security. This change could be a technical configuration change, a purchase of a new technology or a change in a process to help impact a user's choice to circumvent information security controls.
The Synergistic Security Model can help researchers understand the relationships between the general constructs found in a work system and how those relationships can influence user behaviors. The research presented in the paper examines a triad relationship between each work system construct, consisting of: Structure-Technology-People; Structure-Task-People; Task-Technology-People; and Task-Technology-Structure. The findings indicate that the relationship between the constructs can have a significant impact on user information security behavior and therefore should be a consideration when designing an efficient and effective information security program.
Martha Nanette Harrell. 2014. Factors impacting information security noncompliance when completing job tasks. Doctoral dissertation. Nova Southeastern University. Retrieved from NSUWorks, Graduate School of Computer and Information Sciences. (21)