Information security is one of the keys to the successful functioning of contemporary organizations. Recently, the social science perspective on information security has emerged, which refers to various socio-psychological aspects of employee behaviour related to information security. It is well known that the level of information security in an organisation depends on its weakest link, so studying the information security behaviour (ISB) of employees is one of the most important goals in ensuring information security in organisations. In this regard, the process of internal communication is recognised as an important element that has not yet been theoretically or empirically included in the conceptualization of research models in the field of information security. The dissertation is concerned with the analysis of organisational communication processes that are part of the broader, newly introduced concept of ISB and the identification of explanatory factors of communicative ISB. The explanatory model is derived by combining the theory of the spiral of silence in the organisational context and established behavioural theories, such as the theory of planned behaviour and the protection-motivation theory. Special attention is given to measuring social science aspects of information security, which are susceptible to the social desirability effect when measured by self-report in survey methodology. A multilevel analysis of vertical and horizontal information security communication of employees at the University of Ljubljana is conducted based on mostly newly developed measurement scales. The results show that most of the measurement scales have adequate psychometric properties. Among the explanatory factors of employees' communicative ISB at the individual level, subjective norms stand out, followed by attitudes, fear of formal sanctions, education, and age, while collective climate opinion is the only explanatory factor at the organisational level. The influence of socially desirable responses is evident when communicating about information security with superiors (but not with colleagues), which somewhat limits the validity of the results and confirms the problem of objectively measuring more sensitive social science aspects of information security. Examining employee information security communication practises is crucial for identifying and preventing various incidents that threaten the organisation's information. Due to the sensitivity of the topic, the inclusion of various methods to reduce the effect of social desirability in survey questionnaires is necessary.
|
