Twentieth International Conference on Knowledge, Culture, and Change in Organizations

Abstract

Modern enterprises have been increasingly relying on technology to operate and make decisions. As technology advances, so do the sophistication of cyber-crimes, which results in an increase of information security measures. However, in spite of such security measures growth, data breaches costing millions of dollars happen every year, with a significant proportion of those in educational institutions. Recent reports have indicated that cyber attackers have increased their use of Social Engineering (SE) by concentrating exclusively on human elements in an effort to combat the improvements in security systems that utilize multi-layer security protocols. SE can be defined as the use of social means in order to get sensitive data by attempting to deceive people, and evading technical shields. While security-awareness training for users remain the preferred method to combat SE threats, recent surveys have indicated such that training programs can be largely ineffective. Thus, the institutions may need to get creative in order to implement effective organizational behavior change as well as security protocols to supplement security awareness. The literature suggests three aspects of a comprehensive organizational change: content, people, and process. People refers to humans involved in the change, and their behavior when implementing change. The deeper the organizational change, the more important it is for people to alter their own values and perspectives to align with the overall organizational perspective. This paper discusses the implementation of a practice that attempts to change organizational behavior toward data security, and discusses the success achieved in a higher education institution.