The Strength of the Chain is in its Weakest Link

Abstract: Information is one of the most valuable assets for an organization. However, through the evolution of the internet, it has become increasingly difficult for organizations to protect their information assets. Although firewalls and other technological tools are necessary, it is increasingly acknowledged that humans are the weakest link in ensuring information security (IS). The aim of this thesis is therefore to explore how employee IS behavior can be enhanced. A cross-sectional study was conducted including three of the four largest banks in Sweden: SEB, Swedbank and Handelsbanken. In total, 16 in-depth interviews with IS managers and users were conducted, followed by an analysis based on the Theory of Planned Behavior. The findings from the study imply that employee IS behavior can be improved through a focus on threat awareness, management support and participation, communication, social learning, security culture and self-efficacy. These results enhance the knowledge about what aspects that can be considered valuable for organizations to mitigate the risk of the human element in IS. It can further give suggestions to practitioners as they design their information security programs.