Organizational Cybersecurity Journal (Sep 2024)
Employees are not the weakest link: an occupational safety view of information security
Abstract
Purpose – I adapt the Integrated Model of Workplace Safety (Christian et al., 2009) to information security and highlight the need to understand additional factors that influence security compliance and additional security outcomes that need to be studied (i.e. security participation). Research limitations/implications – This model argues that distal factors in four major categories (employee characteristics, job characteristics, workgroup characteristics and organizational characteristics) influence two proximal factors (security motivation and security knowledge) and the security event itself, which together influence two important outcomes (security compliance and security participation). Practical implications – Safety is a systems design issue, not an employee compliance issue. When employees make poor safety decisions, it is not the employee who is at fault; instead, the system is at fault because it induced the employee to make a poor decision and enabled the decision to have negative consequences. Social implications – Security compliance is as much a workgroup issue as an individual issue. Originality/value – I believe that by reframing information security from a compliance issue to a systems design issue, we can dramatically improve security.
Keywords
