The Effect of Security Awareness on Compliance with Security Regulations by Teleworkers in the Period of COVID-19 Epidemic

The aim of this research was to investigate the effect of security awareness on compliance with security regulations by teleworkers during the epidemic of COVID-19 using the Health Belief Model (HBM). Users who experienced teleworking in organizations in Tehran after the outbreak of the disease were selected as the statistical population of this study and 288 people completed the research questionnaire and participated in it. The samples were selected using the available sampling method and then the information and research hypotheses were analyzed using structural equation modeling. The research findings showed that security awareness does not directly affect the compliance with security regulations in organizations by teleworking personnel, but it affects their privacy concerns and security expectations, and these two elements can lead them to more adhering to security regulations and policies of organizations.

Covid-19 pandemic is considered to be the most important global health disaster of the century and is the greatest challenge facing humanity since World War II. In fact, the corona outbreak is an example of a widespread crisis; A crisis in which events or their sequences occur on a large scale and are of astonishing speed, leading to a high degree of uncertainty that exacerbates irregularities. It creates a feeling of lack of control and causes emotional disturbance in people. This study attempts to examine the issue of security awareness and compliance with security regulations by employees, using the health belief model. Hochbaum (1958) developed the health belief model to study the behavior of individuals in health research. Based on what has been stated, the purpose of this study is to investigate whether users involved in telecworking have security awareness and whether there is a relationship between this security awareness and users' compliance with security regulations.

Theoretical framework

The health belief model was developed in the 1950s to explain and predict preventive health behaviors. This model identifies the feasibility, benefits, and costs associated with behavior intervention or change based on the four constructs (sensitivity, severity, benefits, and perceived barriers). In the field of information systems, this model can be used to explain the security behavior of users. This study uses the health belief model as the basis of its research model. The model includes constructs of perceived severity, perceived sensitivity, perceived threat, expectations (perceived benefits and barriers), and cues of action. In addition, the proposed model of the present study includes three other structures that do not exist in the health belief model: security awareness, privacy concern, and compliance with security regulations.

The approach of this study to achieve the results is to use a quantitative method with the data collected through a questionnaire and a survey. The questionnaire assesses security awareness, information privacy concerns, self-efficacy, expectations of security measures, security threats, and participants' security behavior. The statistical population of this study consists of people involved in teleworking in Iranian organizations. The questionnaire consists of two parts: general questions (gender, job title, passing security courses in the organization and the level of proficiency in using common IT tools) and specialized questions that are categorized based on the components of the research. Specialized questions consist of four parts; health belief model, privacy concern, security compliance, and security awareness. To test the hypotheses of this study, structural equation modeling and multiple regression analysis were used.

According to the results obtained from the test of research hypotheses, it was found that all research hypotheses were confirmed and only hypothesis 9 (the effect of perceived threat on compliance with security regulations) was not approved. These results mean that security awareness has a positive effect on expectations (perceived benefits - perceived barriers), privacy concerns, and perceived threats. These results are consistent with the results of previous studies. In addition, the results showed that the severity and sensitivity perceived by users has a positive effect on the perceived threat by them. These results are consistent with the results of previous studies. Expectations and privacy concerns also have a positive and significant effect on compliance with security regulations. These results are completely consistent with the results obtained in the past. In another part of the research results, it was found that privacy concerns and cues of action have a positive and significant effect on perceived threat. These results are fully consistent with studies conducted other researchers. However, the results of the study indicate that perceived threats to security issues do not have a significant effect on compliance with security regulations.

In summary, the findings of this study show that the majority of teleworking users are somewhat aware of security issues (especially in the field of social engineering). Although this issue does not directly affect compliance with organizations' security regulations and policies, it does affect expectations, privacy concerns, and perceived threats. Also, expectations and privacy concerns have a positive and significant effect on compliance with security regulations in organizations, but the perceived threat has no significant effect on compliance with these regulations. Based on the above results, the managers of organizations (especially information technology and security managers) can be advised to improve their staff awareness of security issues related to teleworking by holding awareness and training courses in the field of information security. Consequently, in the case of incidents and events (such as the outbreak of Covid-19 pandemic) that inevitably lead to teleworking, they can comply with the organization's security regulations in their organizational activities so as not to compromise the organization's data and information.