Analysis of Factors Affecting Information System Security Behaviour in Employees at IT Company

— Most companies have prioritized a technology approach to protecting their information assets from potential attacks. The availability of information has a vital role for companies today, including confidentiality and integrity in supporting the company's performance. Users or employees are a significant factor in many information security breaches. This study aims to determine whether security education & training, information security awareness, employee relationships, employee accountability, organizational culture, and national culture significantly affect Information System Security Behavior. The analysis uses survey data from employees at companies in Jakarta and uses a structural equation modeling approach through SmartPLS 3. The results show that there is no direct and significant effect between security education & training on employee security behavior in companies in Jakarta. Security education & training affects the three mediators (Information System Awareness, Employee Relationship, and Employee Accountability), and the three mediators affect employee security behavior. The most influential variable is employee accountability.


I. INTRODUCTION Information
Technology is the design, implementation, development, support, and management of computer-based information systems consisting of hardware or software. In this increasingly advanced era, information technology is widely used to efficiently the company's time and operational costs in processing large and substantial amounts of data [1].
The security of data or information owned by the company needs to be considered in the use of information technology. Security is an essential part of information systems because it concerns personal and confidential data belonging to users or companies. However, unfortunately, information system vulnerabilities related to data are still common. Vulnerabilities can occur due to various threats, including viruses, human error, and hacking.
In 2020, the data breach incident became a big topic in Indonesia, where millions of personal data belonging to users on various major e-commerce sites were leaked. One of the essential assets for a company is data, where much information can be used from the data. A data breach incident may result in the disclosure of PII (Personal Identifiable Information) from an individual at risk of theft or misuse of a person's data [2].
Based on the website of the State Cyber and Password Agency (BSSN) in 2021, here are the provinces in Indonesia that experienced the most data breaches from January to December 2021:

ISSN 2085-4579
Based on Figure 1, it can be known that data breach incidents still occur in Indonesia. The province in Indonesia with the highest vulnerability rate in Greater Jakarta province, with 48,477,059 cases.
Meanwhile, in 2021, the Garuda Eye Monitoring System detected 217.7 million cyber threats to Indonesia's internet network. Most of these threats are attempted data leaks using the Malware method [4]. This Malware is a type of ransomware that can encrypt files and directories on an infected computer, and generally, a notification will appear to pay a ransom [5]. The results of reports in 2021 from 99 firms show that 71% of the most common cyber threats are Malware that attacks company databases and blocks user access [6]. One factor that influences the threat of Malware is an element of intent carried out by irresponsible parties and the users' negligence. One example of the failure of the user himself is accidentally accessing a particular site, where the site asks for authentication or notification so that unknowingly, this will give Malware permission to enter and attack the user's computer. Some areas even show a pop-up that triggers the computer to download a file or application, which causes Malware to enter and damage the operating system without the user knowing [7].
Threats in the company are evidence that users/employees still do not have good information security awareness, so without them realizing their activities in using the company network, including the use of the internet, they can pose a threat to the security of company information [8]. Almost all companies have prioritized a technology approach to protecting their information assets from potential attacks. Some commonly used information security technologies include firewall devices, Antivirus software, IDS, and others. Although the prevention of attacks by technical means is essential, on the other hand, the risk of insider threats to information security breaches is genuine. Users or employees are a significant factor in many information security breaches. Thus, more and more attention is paid to the human side of information security [9].
Employees are the leading cause of many data breaches in companies. Information security breaches often occur due to employee ignorance or careless behavior [10]. Based on Nucleus Cyber in the 2019 Insider Threat Report seen in Figure 2, companies are more worried about unintentional/negligent data breaches (70%), data breaches due to negligence (66%), and intentional data breaches (62%). Figure 2. Types of Internal Threats [11] In the same report in Figure 3, it is explained that the main reason for internal attacks is the lack of awareness and training of employees (56%). Maintaining employee compliance with information security rules is highly dependent on the employees' behavior because technical controls cannot prevent all human errors. For example, employees tend to write down passwords, share them with coworkers, or send confidential information in an unencrypted form. At the same time, other sources say that employees are the weakest link in the information security chain [12]. The main challenge for organizations is to find ways to build employee awareness and concern about the importance of information security.
Based on the Preventive Maintenance report for the period February -April 2022 at one of the IT companies in Jakarta, there are several threats:

. Threats in IT Company
Based on the threats seen in Figure 4, there are still many employees who do not have a high awareness of the importance of information security in the company. As for the risks that occur due to threats to information security, namely, data contained in computer systems can be tampered with or deleted; data can be accessed or changed by the unauthorized user; falsification of information by unauthorized persons [13].
Threats can also occur when accessing a website without guaranteed security. There are several access violations to specific websites with different categories: Figure 5 Website Breach at an IT Company Based on Figure 5, the company blocked Netflix because Netflix was not willing to meet some of the subscription-based videos on demand (SVOD) service requirements applicable to the company [14]. This company also blocks the Telegram website because of the orders given by the Indonesian government [15].
Sampling in this study is a company in Jakarta. The variables used in this study are Security Education and Training (SET), Information Security Awareness (ISA), Employee Relationship (ER), Employee Accountability (EA), Organizational Culture (OC), And National Culture (NC) to test its effect on employee security behavior.

A.
Research Model The following is the research model used:

B.
Hypothesis Some hypotheses that can be formulated are as follows:

C.
Variable Measurement In measuring variables, indicators are needed to test the validity of these variables. The indicators obtained are based on three journals in the research model. They will be used to develop questions that are compiled into a questionnaire that will be distributed to respondents [16].

D.
Data collection technique The measurement in this study will use a Likert scale where data is collected from the results of a ISSN 2085-4579 questionnaire survey which is distributed using a google form and distributed to employees at an IT company in Jakarta.

E.
Data analysis The analytical method used in this research is Structural Equation Modeling (SEM) using SmartPLS 3 software. [17].
 Measurement Model Because the data collection in this study used a questionnaire, it is necessary to have a measuring tool to determine validity and reliability. A validity test is a form of testing the quality of primary data to measure the validity of a question in research. At the same time, the reliability test is a tool to measure a questionnaire which is an indicator of a variable or constructs. A questionnaire is said to be reliable or reliable if someone's answers are consistent with the questions [18].
The validity test consists of two types: the convergent validity test and the discriminant validity test. The convergent validity test can be done in several ways, including by looking at the loading factor value on each indicator, whose value must be greater than 0.7 or through the Average Variance Extracted (AVE) value on each variable value must be greater than 0.5.
The reliability test can be done by calculating the Cronbach's Alpha and Composite Reliability value. The test is reliable if the Cronbach's Alpha value is above 0.6 and the Composite Reliability value is above 0.7.

A.
Previous Research The research model used is a modification of the three previous research models.  SETA significantly impacts security behaviour through monitoring, ER, and EA [19].  The journal Employee Security Behaviour shows that security procedures such as rules and education impact employees' awareness to behave obediently [20].  The journal Investigation of Employee Security Behavior investigates security precautions and cultural factors against employee security behaviour [21].  The journal Managing Employee Compliance with IS Policies discusses three variables: Top Management, Organizational Behavior, and Theory of Planned Behavior [22].  The journal The Influence of Organisational Culture and Information Security Culture on Employee Compliance Behavior discusses the combined influence of OC and information security culture [23].

B. The Convergent Validity Test
An indicator must represent one latent variable and underlie the latent variable. For this reason, a convergent validity test is needed. The convergent validity test can be done in several ways, including looking at the loading factor value, which is the value generated by each indicator to measure the variable, or the Average Variance Extracted (AVE) value. In this study, the loading factor value must be greater than 0.7, and the Average Variance Extracted (AVE) value must be greater than 0.5. This value describes adequate convergent validity, which means that one latent variable can explain more than half of the variance of its indicators on average.

F. The Hypothesis Test
Hypothesis analysis is carried out using bootstrapping methods. The significance level used is 5% (0.05), which means that the relationship between variables is said to be significant if the p-values < 0.05.  The results of this study can practically be used as input for companies to pay more attention to education, training, and information security awareness of employees. This is because there has been a significant influence between the Security Education & Training variables on Information System Awareness, Employee Relationships, and Employee Accountability