Rethinking the Prevailing Security Paradigm: Can User Empowerment with Traceability Reduce the Rate of Security Policy Circumvention?
- Authors
- Jeon, Soohyun; Hovav, Anat; Han, Jinyoung; Alter, Steven
- Issue Date
- 8월-2018
- Publisher
- ASSOC COMPUTING MACHINERY
- Keywords
- Data-Centric Security; Enterprise Rights Management; Empowerment-Based ISSP; Information Security Policy Compliance; Information Security System
- Citation
- DATA BASE FOR ADVANCES IN INFORMATION SYSTEMS, v.49, no.3, pp.54 - 77
- Indexed
- SSCI
SCOPUS
- Journal Title
- DATA BASE FOR ADVANCES IN INFORMATION SYSTEMS
- Volume
- 49
- Number
- 3
- Start Page
- 54
- End Page
- 77
- URI
- https://scholar.korea.ac.kr/handle/2021.sw.korea/74203
- DOI
- 10.1145/3242734.3242739
- ISSN
- 0095-0033
- Abstract
- Information leakage is a major concern for organizations. As information travels through the organization's eco-system, perimeter-based defense is no longer sufficient. Rather, organizations are implementing data-centric solutions that persist throughout the information life-cycle regardless of its location. Enterprise rights management (ERM) systems are an example of persistent data-centric security. ERM defines specific access rules as an instantiation of organizational information security policies and has been suggested as means of role-based access permissions control. Yet, evidence shows that employees often circumvent or work around organizational security rules and policies since these controls hinder task-performance. In this exploratory case study, we use the theory of workarounds as a lens to examine users' workaround behavior. We introduce an empowerment-based ERM system highlighting users' permission to override provisionally assigned access rules. The concept of empowered security policies is novel and presents a shift in the current security compliance paradigm. Subsequently, we compare users' compliance intention between empowered ERM users and conventional ERM users. Our descriptive results indicate that circumventing intention is lower while perceived responsibility and task-performance benefits are higher for the empowered ERM users than for the conventional ERM users. Compliance intention is higher for conventional ERM users than for empowered ERM users.
- Files in This Item
- There are no files associated with this item.
- Appears in
Collections - Graduate School > Department of Business Administration > 1. Journal Articles
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.