Investigating the formation of an information security climate in a large Vietnamese construction company: a social network analysis approach

Dang, D 2018, Investigating the formation of an information security climate in a large Vietnamese construction company: a social network analysis approach, Doctor of Philosophy (PhD), Business IT and Logistics, RMIT University.

Document type: Thesis
Collection: Theses

Attached Files
Name Description MIMEType Size
Dang.pdf Dang.pdf Click to show the corresponding preview/stream application/pdf; Bytes
Title Investigating the formation of an information security climate in a large Vietnamese construction company: a social network analysis approach
Author(s) Dang, D
Year 2018
Abstract The management of organisational information security (InfoSec) has gained importance due to the rise of new and sophisticated cyberthreats with technical measures alone no longer comprising effective organisational InfoSec. In addition to technical measures, organisations need to transform their employees into InfoSec-aware end-users who actively contribute to the maintenance and improvements of organisational InfoSec. It is imperative to develop a positive InfoSec climate in the workplace where priority of InfoSec-related matters is understood and recognised by all employees.

The concept of an InfoSec climate focuses on the interactions between employees and their work environment, including the InfoSec behaviours performed by colleagues and by direct supervisors. These interactions promote the priority of InfoSec in the organisation. Improving the understanding of these interactions enables scholars and practitioners to design management models and strategies to develop people-centric InfoSec workplaces where employees receive InfoSec-related resources in a positive InfoSec climate. These interactions provide a social network within the workplace and their impact on the formation of an InfoSec climate is the focus of this thesis. Previously, most behavioural InfoSec studies have focused on the cognitive and behavioural aspects of employees as separate individuals.

This thesis investigates the factors and mechanisms that contribute to the formation of an InfoSec climate by conducting a canonical action research (CAR) project in collaboration with a large construction enterprise in Vietnam. The business objective of this CAR project focused on improving the organisation’s InfoSec environment. A social network analysis (SNA) approach was used to examine the impacts of employees’ networks of InfoSec-related interactions on the formation of their perceptions of an InfoSec climate. The adoption of SNA methods also supported the achievement of the business objective.

The CAR project consisted of four research stages which began with diagnosing InfoSec issues and understanding the critical factors and methods for effective InfoSec implementation in the Vietnamese context. At the end of the diagnosis stage, the project team decided to improve the InfoSec environment through a diffusion of InfoSec knowledge. In the action planning stage, SNA methods were employed to identify influential champions. These champions then received InfoSec training in the action taking stage and carried out the diffusion of InfoSec knowledge at the end of this iteration. In the evaluation and reflection stage, SNA was performed to quantitatively evaluate the changes in the InfoSec environment and to examine a theoretical model which described the formation of employees’ perceptions of the InfoSec climate.

The evaluation’s findings indicated that the InfoSec environment of the organisation had achieved the intended improvements, including the selected champions emerging as prominent sources of InfoSec support and InfoSec influence and employees’ provision of InfoSec support becoming more active after the champions’ diffusion of InfoSec knowledge. The SNA findings further indicated that employees received InfoSec influence from colleagues they trusted and from those that provided them with work advice, organisational updates, personal advice and InfoSec support. Employees’ number of InfoSec influencers, department membership and champion status were identified as the factors that facilitated the InfoSec influence between them and contributed to improved perceptions of the InfoSec climate. In addition to the structural mechanisms of the InfoSec influence network, which contributed to InfoSec climate formation, employees’ perceptions of colleagues’ and direct supervisors’ InfoSec behaviours also had different formation mechanisms.

This research provides contributions to practice, theory and methodology. It demonstrates the practical adoption of SNA approach to improve organisational InfoSec, through employing the approach’s methods and metrics to evaluate an InfoSec environment and to identify InfoSec champions. The research elaborates on the formation mechanisms of an InfoSec climate and extends theoretical knowledge on this formation process. The examination of theories about networks and social influence also suggests the influential traits of InfoSec champions. The methodological contributions focus on the separate and combined use of SNA methods with the CAR approach to investigate behavioural InfoSec-related phenomena. The research also proposes further improvements to the CAR approach.
Degree Doctor of Philosophy (PhD)
Institution RMIT University
School, Department or Centre Business IT and Logistics
Subjects Information Systems Management
Information Systems Organisation
Computer System Security
Keyword(s) behavioural information security
social network analysis
action research
information systems management
information security management
Version Filter Type
Access Statistics: 58 Abstract Views, 23 File Downloads  -  Detailed Statistics
Created: Fri, 11 May 2018, 09:21:09 EST by Denise Paciocco
© 2014 RMIT Research Repository • Powered by Fez SoftwareContact us