Biblio

A security breach often makes companies react by changing their attitude and approach to security within the organization. This paper presents an in-depth case study of post-breach security changes made by a company and the consequences of those changes. We employ the principles of participatory action research and humble inquiry to conduct a long-term study with employee interviews while embedded in the organization's security division. Despite an extremely high level of financial investment in security, and consistent attention and involvement from the board, the interviews indicate a significant level of friction between employees and security. In the main themes that emerged from our data analysis, a number of factors shed light on the friction: fear of another breach leading to zero risk appetite, impossible security controls making non-compliance a norm, security theatre underminining the purpose of security policies, employees often trading-off security with productivity, and as such being treated as children in detention rather than employees trying to finish their paid jobs. This paper shows that post-breach security changes can be complex and sometimes risky due to emotions often being involved. Without an approach considerate of how humans and security interact, even with high financial investment, attempts to change an organization's security behaviour may be ineffective.

In the era of Industry 4.0 (IR 4.0), information leakage has become a critical issue for information security. The basic approach to addressing information leakage threats is to implement an information security policy (ISP) that defines the standards, boundaries, and responsibilities of users of information and technology of an organization. ISPs are one of the most commonly used methods for controlling internal user security behaviours, which include, but not limited to, computer usage ethics; organizational system usage policies; Internet and email usage policies; and the use of social media. Human error is the main security threat to information security, resulting from negligence, ignorance, and failure to adhere to organizational information security policies. Information security incidents are a problem related to human behaviour because technology is designed and operated by humans, presenting the opportunities and spaces for human error. In addition to the factor of human error as the main source of information leakage, this study aims to systematically analyse the fundamental issues of information security policy compliance. An analysis of these papers identifies and categories critical factor that effect an employee's attitude toward compliance with ISP. The human, process, technology element and information governance should be thought as a significant scope for more efficiency of information security policy compliance and in any further extensive studies to improve on information security policy compliance. Therefore, to ensure these are properly understood, further study is needed to identity the information governance that needs to be included in organizations and current best practices for developing an information security policy compliance within organizations.