IMPROVING INFORMATION SECURITY PRACTICES TO REDUCE SECURITY-RELATED STRESS IN END-USERS

Abstract

This thesis studies the causes and consequences of security-related stress (SRS) in organizations as well as how to combat the negative effects of the phenomenon. SRS, meaning stress that arises from information security requirements and practices enforced by the organization, can be considered as a derivation of the more researched concept of technostress which has been studied since the introduction of the first computers into the workplace. The primary theoretical framework used in this study is a conceptualization of security-related stress by Ament & Haag (2016), which suggests that security-related stress manifests itself through different stressors in three different environments: the work environment, the personal environment and the social environment. As all previous research on security-related stress has been studied quantitatively, this study aims to provide new insight into the phenomenon qualitatively through the semi-structured interview method. The findings of the study bring to light the fact that while many of the causes and consequences of SRS identified in scientific research can truly be found in an organization, they are not usually characterized or experienced as stressful by the employees. The more pressing matter seems to be the divide between information security professionals and end users, as most employees are not security-conscious and do not see information security as a real threat therefore neglecting their information security responsibilities.