DOES THE EMPLOYEE USE OF SMARTPHONE AT WORK CORRELATE WITH THE ADHERENCE INTENTION TO THE INFORMATION SECURITY POLICY, AND THE PERCEIVED EASE OF USE AND USEFULNESS OF THE POLICY?

• Author: Pontenila, Serena

INTRODUCTION

The focus of this study addressed information security policy (ISP) noncompliance among employees using smartphones for work purposes in the U.S. financial industry. Organizational leaders frequently implement ISPs to document security precautions such as authentication protocols, mobile device management (MDM), device fingerprinting, and device encryption that limit data risks when using smartphones in the workplace (Raj & Catherine, 2015). However, even when security precautions are taken, users can still act in ways that put data security at risk by failing to adhere to ISPs (McBride, 2015).

Research indicates that smartphones pose a unique set of security risks (Mayrhofer, 2015). The small size and limited capacity of smartphones (Ahmed & Ahmad, 2014), their continued connectivity (Tsavli et al, 2015), and the potential for malware (Louk, Lim, & Lee, 2014) all lead to increased data security risks when using smartphones.

The investigation of this study is significant to both practitioners and researchers. ISP adherence is an issue of importance to the U.S. financial industry due to (a) the heavily regulated nature of the industry, (b) the large volume of sensitive data handled by organizations within the industry, and (c) the fact that insider threat represents a significant concern regarding data security (Kamoun & Nicho, 2014). From a practitioner's perspective, the present study's findings can be used to assess existing ISP training and awareness programs or develop new programs that are more effective at promoting ISP adherence (Ghazvini & Shukur, 2016). This study intends to find out whether the employee use of smartphone at work correlates with the employee intention to adhere to the (ISP), and the employee perceived ease of use and usefulness of the (ISP) in the financial industry

THE IMPORTANCE OF THIS STUDY

The results of this present study can be used to inform industry leaders about the attitudes, perceptions, and intentions of employees using smartphones for work-related purposes. If ISP adherence can be improved through a better understanding of these relationships, financial institutions can reduce data security risks associated with both ISP noncompliance and smartphone use (Kim, 2014).

This study is vital from a scholarly perspective in that it addresses a recognized gap in the body of knowledge on ISP adherence. Researchers have argued that it is necessary to understand the relationship between smartphone use and employee perceptions of ISPs because these perceptions are likely to affect adherence behaviors (Siponen et al., 2014; Sommestad et al., 2014).

BACKGROUND OF THIS STUDY

Information Security

Organizations must address the risks associated with developing technologies by implementing flexible and comprehensive approaches to information security (Tu et al., 2015). A comprehensive approach can include both cybersecurity and information security interventions (von Solms & van Niekerk, 2013). While both cybersecurity and information security address the availability, integrity, and confidentiality of digital assets, they differ in that information security goes beyond technology-related interventions (von Solms & van Niekerk, 2013). Information security is considered a process, and, while it does include technical components, one cannot buy it from a store (von Solms & van Niekerk, 2013). Information security, as a program, involves people and the decisions they make regarding data handling.

Thorough ISPs are composed of multiple objectives and have many elements (von Solms & van Niekerk, 2013); these elements include education, training, and the goal of building an information security-minded organizational culture (Chen et al., 2015). Building an information-security-minded organizational culture is of growing interest to organizations as data is becoming increasingly digital, dispersed, mobile, regulated, and vulnerable (Kamoun & Nicho, 2014). The objective of an ISP is to defend the confidentiality, integrity, and availability of data to maintain the trust of consumers and to provide protection against vulnerabilities (Ayyagari, 2012).

ISPs include elements to address a broad range of issues and ensure adequate protection. These issues include privacy, security, trust, and legal issues (Nofer et al., 2014). Privacy and security policies are implemented to protect data and enhance consumer trust (Layton & Watters, 2014). While privacy and security policies are similar, privacy policies address how employees handle consumers' private information (Nofer et al., 2014). ISPs extend beyond data handling and prevent unauthorized data access by employees and outside information security threats and intentional or unintentional data loss (Layton & Watters, 2014). Privacy and security policies bolster consumer confidence in data security despite inherent risks in data transmission or data handling (Nofer et al., 2014).

Mobile Device Management (MDM)

Mobile Device Management (MDM) is a management solution that allows organizations to use a centralized system to monitor work-related use of mobile devices, govern access control through mobile devices, and utilize remote wipe capabilities when necessary (Toperesu & Belle, 2017). MDM is an important part of the smartphone-related security plans (Zahadat et al., 2015). Toperesu and Belle (2017) suggested that because MDM offers centralized control of smartphones and other mobile devices, it provides enhanced data security. Horton (2015) added that the use of MDM enhances security by allowing security specialists to use web filtering and application controls to monitor devices connected to an organization's network. The use of MDM also protects data should a mobile device be lost or stolen as it enables sensitive data to be remotely deleted or wiped (Horton, 2015). Centralized control, device monitoring, and remote wipe options are all important aspects of smartphone security plans (Toperesu & Belle, 2017). However, there are some concerns when using MDM including complex legal issues and the restrictive nature of MDM solutions.

When implementing MDM, organizational leaders must understand the relevant legal issues, many of which stem from the use of employee-owned smartphone (i.e., bring your own device (BYOD) (Dhingra, 2016). In organizations with BYOD policies, some data monitoring, system configurations, and security tasks are difficult to implement due to employee ownership of the smartphones (Dhingra, 2016). If employees who use their personal smartphones for work purposes are unwilling to implement the security controls, it can result in a legal risk for organizations (Dhingra, 2016). Employees using their personal devices for work purposes must be aware of and consent to remote wiping and blocking, secure destruction of company data, antivirus software, password use, and encryption use (Dhingra, 2016). While these legal issues related to the use of MDM are related primarily to BYOD policies, there are additional areas of concern that apply to both employee-owned and employer-issued smartphones.

Even when using employer-issued smartphones, employees may find MDM solutions too restrictive and frustrating (Timms, 2017). Steiner (2014) suggested that employees may get frustrated by MDM solutions that limit or ban applications or restrict network access. Timms (2017) concurred that a lack of flexibility presented by MDM could cause smartphone user frustration, adding that a perceived lack of privacy could make an employee feel uneasy about using their personal device at work. Zhou and Buyya (2018) cited restricted connectivity as a cause of frustration, noting that restrictive routing protocols can increase connection failure when a device relies on an unstable wireless network (Zhou & Buyya, 2018). Finding a balance between MDM solutions to ensure security while maintaining usability is ideal (Zhou & Buyya, 2018).

Even when a balance between security and usability is achieved, MDM solutions can cause concerns for administrators. Administrators must consider application permission levels (Chircop, Colombo, & Pace, 2016); threats and vulnerabilities (Rhee et al., 2013); and user behavior (Safa et al., 2016). Chircop et al. (2016) suggested that applications must be monitored to ensure that they are not being used to violate established security controls. Monitoring and aggregating the data from all the applications and files can be costly (Timms, 2017). Rhee et al. (2013) added that organizations should work to identify all relevant threats because unidentified threats leave smartphones vulnerable even after the implementation of MDM solutions. Even if the threats are identified, MDM solutions are not infallible, and user behavior can put data security at risk despite robust MDM solutions (Toperesu & Belle, 2017).

Toperesu and Belle (2017) suggested that an organizational security official's lack of control over a device such as a smartphone is a vulnerability. Only the employee has physical control of the device, and smartphones can be lost or stolen, putting the data stored on them at risk. Toperesu and Belle (2017) also asserted that employees could intentionally thwart MDM protections through actions such as password or file-sharing. Safa et al. (2016) asserted these behaviors are the cause of many information security incidents. To curb these types of behaviors, Utter (2015) suggested implementing and enforcing ISPs.

Information Security Policy (ISP)

The information security policy (ISP) is a set of rules and policies that (a) define how an employee should access and use organizational information assets, (b) addresses individual employee responsibilities related to compliance requirements, and (c) outlines the consequences of noncompliant behaviors (Yazdanmehr & Wang, 2016). Comprehensive ISPs can minimize insider threat (Wall, 2013). By enacting and enforcing ISPs, leaders ensure the protection of the...