{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T15:24:25Z","timestamp":1781105065905,"version":"3.54.1"},"reference-count":49,"publisher":"IGI Global Scientific Publishing","issue":"2","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2020,4]]},"abstract":"<jats:p>Employee information security practices are pivotal to prevent, detect, and respond to security incidents. This article synthesizes insights from research on challenges related to employee information security practices and measures to address them. The challenges identified are associated to idiosyncratic aspects of communities and individuals within organizations (culture and personal characteristics) and to systemic aspects of organizations (procedural and structural arrangements). The measures aimed to enhance systemic capabilities and to adapt security mechanisms to the idiosyncratic characteristics and are categorized as: (a) measures of training and awareness; (b) measures of organizational support; and (c) measures of rewards and penalties. Further research is needed to explore the dynamics related to how challenges emerge, develop, and get addressed over time and also, to explore the interplay between systemic and idiosyncratic aspects. Additionally, research is needed on the role of security managers and how it can be reconfigured to suit flatter organizations.<\/jats:p>","DOI":"10.4018\/ijesma.2020040101","type":"journal-article","created":{"date-parts":[[2020,1,31]],"date-time":"2020-01-31T13:39:12Z","timestamp":1580477952000},"page":"1-14","source":"Crossref","is-referenced-by-count":1,"title":["Employee Information Security Practices"],"prefix":"10.4018","volume":"12","author":[{"given":"Eli","family":"Hustad","sequence":"first","affiliation":[{"name":"University of Agder, Kristiansand, Norway"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Frode Mathias","family":"Bekkevik","sequence":"additional","affiliation":[{"name":"EVRY Consulting, Fornebu, Norway"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Ole Reidar","family":"Holm","sequence":"additional","affiliation":[{"name":"Bekk Consulting, Oslo, Norway"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Polyxeni","family":"Vassilakopoulou","sequence":"additional","affiliation":[{"name":"University of Agder, Kristiansand, Norway"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"2432","reference":[{"key":"IJESMA.2020040101-0","unstructured":"Adele, A., & Kulesa, P. (2016). The inside threat: Why employee behaviour and opinions impact cyber risk. Willis Towers Watson. Retrieved from https:\/\/www.willistowerswatson.com\/en\/insights\/2016\/05\/inside-threat-why-employee-behavior-and-opinions-impact-cyber-risk"},{"key":"IJESMA.2020040101-1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2013.09.004"},{"key":"IJESMA.2020040101-2","doi-asserted-by":"publisher","DOI":"10.2307\/25750690"},{"issue":"3","key":"IJESMA.2020040101-3","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness.","volume":"34","author":"B.Bulgurcu","year":"2010","journal-title":"Management Information Systems Quarterly"},{"key":"IJESMA.2020040101-4","doi-asserted-by":"publisher","DOI":"10.1080\/08874417.2016.1258679"},{"key":"IJESMA.2020040101-5","doi-asserted-by":"publisher","DOI":"10.2753\/MIS0742-1222290305"},{"key":"IJESMA.2020040101-6","doi-asserted-by":"publisher","DOI":"10.2753\/MIS0742-1222310210"},{"key":"IJESMA.2020040101-7","doi-asserted-by":"publisher","DOI":"10.1108\/ICS-12-2015-0048"},{"issue":"2","key":"IJESMA.2020040101-8","doi-asserted-by":"crossref","first-page":"139","DOI":"10.1108\/ICS-12-2015-0048","article-title":"Comparing the information security culture of employees who had read the information security policy and those who had not Illustrated through an empirical study.","volume":"24","author":"A.Da Veiga","year":"2016","journal-title":"Information and Computer Security"},{"key":"IJESMA.2020040101-9","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2009.09.002"},{"key":"IJESMA.2020040101-10","doi-asserted-by":"crossref","unstructured":"Da Veiga, A., & Eloff, J. H. P. (2010). A framework and assessment instrument for information security culture. Computers & Security,29(2), 196-207.","DOI":"10.1016\/j.cose.2009.09.002"},{"key":"IJESMA.2020040101-11","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2017.05.002"},{"key":"IJESMA.2020040101-12","doi-asserted-by":"publisher","DOI":"10.1016\/j.istr.2010.05.002"},{"issue":"4","key":"IJESMA.2020040101-13","doi-asserted-by":"crossref","first-page":"223","DOI":"10.1016\/j.istr.2010.05.002","article-title":"The positive outcomes of information security awareness training in companies - A case study.","volume":"14","author":"M.Emina\u01e7ao\u01e7lu","year":"2009","journal-title":"Information Security Technical Report"},{"key":"IJESMA.2020040101-14","doi-asserted-by":"publisher","DOI":"10.1016\/S1361-3723(09)70019-3"},{"issue":"2","key":"IJESMA.2020040101-15","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1016\/S1361-3723(09)70019-3","article-title":"From culture to disobedience: Recognising the varying user acceptance of IT security.","author":"S.Furnell","year":"2009","journal-title":"Computer Fraud & Security"},{"key":"IJESMA.2020040101-16","doi-asserted-by":"publisher","DOI":"10.1016\/j.jsis.2010.10.002"},{"key":"IJESMA.2020040101-17","doi-asserted-by":"publisher","DOI":"10.2753\/MIS0742-1222280208"},{"key":"IJESMA.2020040101-18","doi-asserted-by":"publisher","DOI":"10.2753\/MIS0742-1222280208"},{"key":"IJESMA.2020040101-19","doi-asserted-by":"publisher","DOI":"10.1108\/09685220911006687"},{"issue":"5","key":"IJESMA.2020040101-20","doi-asserted-by":"crossref","first-page":"388","DOI":"10.1108\/09685220911006687","article-title":"Effects on employees\u2019 information security abilities by e-learning.","volume":"17","author":"J. M.Hagen","year":"2009","journal-title":"Information Management & Computer Security"},{"key":"IJESMA.2020040101-21","doi-asserted-by":"publisher","DOI":"10.1108\/09685221111153537"},{"issue":"3","key":"IJESMA.2020040101-22","doi-asserted-by":"crossref","first-page":"140","DOI":"10.1108\/09685221111153537","article-title":"The long-term effects of information security e-learning on organizational learning.","volume":"19","author":"J. M.Hagen","year":"2011","journal-title":"Information Management & Computer Security"},{"key":"IJESMA.2020040101-23","doi-asserted-by":"publisher","DOI":"10.1016\/j.dss.2009.02.005"},{"issue":"2","key":"IJESMA.2020040101-24","doi-asserted-by":"crossref","first-page":"154","DOI":"10.1016\/j.dss.2009.02.005","article-title":"Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness.","volume":"47","author":"T.Herath","year":"2009","journal-title":"Decision Support Systems"},{"key":"IJESMA.2020040101-25","doi-asserted-by":"publisher","DOI":"10.1287\/isre.2015.0569"},{"key":"IJESMA.2020040101-26","doi-asserted-by":"publisher","DOI":"10.1057\/ejis.2015.15"},{"key":"IJESMA.2020040101-27","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2016.12.012"},{"key":"IJESMA.2020040101-28","unstructured":"Kitchenham, B. (2004). Procedures for performing systematic reviews. Keele University Journal, 33, 1-26."},{"key":"IJESMA.2020040101-29","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2008.09.009"},{"key":"IJESMA.2020040101-30","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2012.07.001"},{"key":"IJESMA.2020040101-31","doi-asserted-by":"publisher","DOI":"10.1016\/j.jsis.2016.08.005"},{"key":"IJESMA.2020040101-32","doi-asserted-by":"publisher","DOI":"10.1016\/j.chb.2016.11.065"},{"key":"IJESMA.2020040101-33","doi-asserted-by":"publisher","DOI":"10.4324\/9781315588537"},{"key":"IJESMA.2020040101-34","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2015.10.002"},{"key":"IJESMA.2020040101-35","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2011.157"},{"issue":"3","key":"IJESMA.2020040101-36","doi-asserted-by":"crossref","first-page":"57","DOI":"10.1109\/MSP.2011.157","article-title":"Blaming noncompliance is too convenient: What really causes information breaches?","volume":"10","author":"K.Renaud","year":"2012","journal-title":"IEEE Security and Privacy"},{"key":"IJESMA.2020040101-37","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2016.01.004"},{"key":"IJESMA.2020040101-38","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2015.10.006"},{"key":"IJESMA.2020040101-39","doi-asserted-by":"publisher","DOI":"10.1016\/j.im.2013.08.006"},{"issue":"2","key":"IJESMA.2020040101-40","doi-asserted-by":"crossref","first-page":"217","DOI":"10.1016\/j.im.2013.08.006","article-title":"Employees\u2019 adherence to information security policies: An exploratory field study.","volume":"51","author":"M.Siponen","year":"2014","journal-title":"Information & Management"},{"key":"IJESMA.2020040101-41","doi-asserted-by":"publisher","DOI":"10.1108\/09593841211254358"},{"key":"IJESMA.2020040101-42","doi-asserted-by":"publisher","DOI":"10.1057\/ejis.2013.27"},{"key":"IJESMA.2020040101-43","doi-asserted-by":"crossref","unstructured":"Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2015). Managing the introduction of information security awareness programmes in organisations. European Journal of Information Systems,24(1), 38-58.","DOI":"10.1057\/ejis.2013.27"},{"key":"IJESMA.2020040101-44","doi-asserted-by":"publisher","DOI":"10.1016\/j.im.2012.04.002"},{"key":"IJESMA.2020040101-45","doi-asserted-by":"crossref","unstructured":"Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from Habit and Protection Motivation Theory. Information & Management,49(3-4), 190-198.","DOI":"10.1016\/j.im.2012.04.002"},{"key":"IJESMA.2020040101-46","doi-asserted-by":"publisher","DOI":"10.17705\/1jais.00420"},{"key":"IJESMA.2020040101-47","doi-asserted-by":"publisher","DOI":"10.25300\/MISQ\/2015\/39.1.06"},{"issue":"2","key":"IJESMA.2020040101-48","first-page":"xiii","article-title":"Analyzing the past to prepare for the future: Writing a literature review.","volume":"26","author":"J.Webster","year":"2002","journal-title":"Management Information Systems Quarterly"}],"container-title":["International Journal of E-Services and Mobile Applications"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=247936","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,5,6]],"date-time":"2022-05-06T06:03:41Z","timestamp":1651817021000},"score":1,"resource":{"primary":{"URL":"http:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/IJESMA.2020040101"}},"subtitle":["A Framework and Research Agenda"],"short-title":[],"issued":{"date-parts":[[2020,4]]},"references-count":49,"journal-issue":{"issue":"2"},"URL":"https:\/\/doi.org\/10.4018\/ijesma.2020040101","relation":{},"ISSN":["1941-627X","1941-6288"],"issn-type":[{"value":"1941-627X","type":"print"},{"value":"1941-6288","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,4]]}}}