Individual behaviour is a core topic of information security (InfoSec) research. This can be seen in the substantial number of studies on issues such as compliance, misuse, avoidance, and policy violation. These behaviours can be distinguished on various attributes, such as their different periodicities (are they habitual or non-habitual responses?), their embeddedness (are they the sole focus of an activity or are they embedded in other primary activities?) and their underlying cognitive mechanisms (to what extent the intuitive and reflective thinking processes shape the behaviours?). However, there has been little attempt to consider the broader underlying dimensions of InfoSec behaviours. The lack of attention paid to conceptualising the phenomenon of “InfoSec behaviour” makes it difficult to evaluate progress in the field, especially since a variety of theories have been used to study InfoSec-related behaviours. This study reviews research on InfoSec behaviours and highlights three main lacunae: a widespread assumption that InfoSec behaviours are non-habitual activities, a lack of attention to intuitive cognition, and a lack of focus on InfoSec behaviour as a secondary activity. We conclude with suggestions for future research on InfoSec behaviours.
Hassandoust, Farkhondeh; Techatassanasoontorn, Angsana A.; and Singh, Harminder, "Information Security Behaviour: A Critical Review and Research Directions" (2020). ECIS 2020 Research Papers. 71.
When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.