Sécurité de l’information et des systèmes d’information (SSI)
DESCRIPTION GENERALE DU THEME DU GTAIM :
La sécurité des S.I. est une thématique très importante aujourd’hui, d’autant que les organisations dépendent de plus en plus de leurs données. La récente actualité a renouvelé les intérêts de ce domaine avec notamment l’essor du télétravail entrainant un usage accru de la Shadow IT[1], qui s’est avérée source de nombreuses failles de sécurité, notamment relatives à l’hameçonnage (phishing). Ces dernières années ont aussi vu l’essor des rançongiciels (ransomwares), sources de revenus fiables pour des individus mal intentionnés.
L’objectif est de mieux comprendre les comportements des acteurs (dirigeants, managers et employés), au travers notamment des théories du ‘coping’ (Lazarus et Folkman, 1984), et des modèles qui ont été déclinés dans le contexte de la SSI, tels que la protection motivation theory (PMT, Maddux et Rogers, 1983 ; Mou et al., 2022) ou encore l’extended parallel process model (EPPM, Witte et Allen, 2000 ; Chen et al., 2021) qui intègre la notion de peur provenant des menaces perçues (Lowry et al., 2023). Le GTAIM s’intéresse entre autres aux développements théoriques, pratiques et méthodologiques de ces théories comportementales : la motivation des employés à adopter des comportements bénéfiques (Cram et al., 2019) ou à ne pas respecter les règles (Burns et al., 2022 ; Trinkle et al., 2021 ; Yazdanmehr et al., 2022) ; les évolutions de la cybercriminalité et les nouveaux comportements des pirates (Crossler et al., 2013) ; l’influence de la culture (Vance et al., 2020) et des liens sociaux (Feng et al., 2019) sur les comportements en SSI. Les mécanismes et les impacts de l’ingénierie sociale, ainsi que les moyens d’éducation et de sensibilisation (SETA[2]), indispensables pour lutter contre l’ingénierie sociale.
Ce GTAIM s’intéresse aussi au foisonnement de problématiques de recherches en SSI en phase avec l’évolution des menaces et des vulnérabilités ainsi qu’aux enjeux de confidentialité et de conformité.
Exemples de thématiques : économie et impacts de la cybersécurité, problématiques sociétales et sociotechniques, stratégie et gouvernance, préservation de la vie privée et de l’éthique dans les organisations et réseaux sociaux, cybercrime, cyberguerre, Neuro-IS, security analytics et systèmes d’intelligence artificielle, etc.
Enfin, le GTAIM est ouvert aux problématiques d’éducation et de sensibilisation en entreprise et dans les cursus scolaires et universitaires.
Mots clefs :
Sécurité, information, comportements, cybercriminalité, hackers.
EQUIPE PORTEUSE :
Correspondant : Yves Barlette– Montpellier Business School.
y.barlette@montpellier-bs.com
Yves Barlette is a full Professor HDR of Information Systems at Montpellier Business School. His research investigates information security behaviors of employees and CEOs in organizations. He has 22 publications appearing in journals such as Systèmes d’Information et Management, International Journal of Information Management, Journal of Organizational Change Management, Journal of Global Information Management, and Production Planning & Control. He also authored or co-authored 14 books and book chapters. He is Associate Editor of Communications of the AIS, Editorial Review Board member of the International Journal of Information Management, and Editorial Board member of Systèmes d’Information et Management and of Information & Media.
Responsable : Jean-Francois Berthevas – La Rochelle University School of Management (IAE).
univjfb@gmail.com.
Jean-Francois Berthevas is Associate Professor of Information Systems at La Rochelle University School of Management, France. He is member of the Centre de Recherche Lithoral. His current research focuses on information security and behavioral issues, and on the digital transformation of organizations. He is Director of the School of Management at University La Rochelle (France). He has 10 years of experience as an IT specialist and 7 years as manager in the field of cybersecurity. He published two articles in Systèmes d’Information et Management.
Responsable : Jean-Loup Richet – Sorbonne Business School (IAE Paris).
richet.iae@univ-paris1.fr.
Expert in cybersecurity, Jean-Loup Richet is associate Professor of Management and co-director of the Risk Chair at Sorbonne Business School, IAE Paris, Université Paris I Panthéon-Sorbonne, France. He is an accredited expert in Cybercrime by the Europol and the Gendarmerie Nationale and authored multiple studies for the United Nation Office on Drugs and Crime, Europol, the International Telecommunication Union and the European Commission. Jean-Loup Richet’s work explore the boundaries of cybercrime and cybersecurity, focusing on trends in online money laundering or new frauds enabled by artificial intelligence and machine learning. He has published numerous papers in trade and academic journals (European Journal of Information Systems; IEEE Transactions on Engineering Management; Technological Forecasting and Social Change; Systèmes d’Information et Management); his work was featured in The Wall Street Journal, Wired, CBS, MIT Technology Review, Computer World, and many other media outlets. Jean-Loup Richet has received several awards such as the ITU Fellowship, the French Ministry innovation and research grant, or the Robert Reix research prize from the Association Information & Management.
Responsable : Laura Georg Schaffner – Ecole de Management Strasbourg.
laura.g.schaffner@em-strasbourg.eu.
Laura Georg-Schaffner is Associate Professor of Information Systems at the Ecole de Management Strasbourg, University of Strasbourg. She is member of the HuManiS laboratory and an external research fellow at the UC Berkeley Center for Long-term Cybersecurity. Her PhD thesis focused on the interrelationship between information security (ISS) and business strategy. Her current research focuses on management and governance issues in ISS. She is the former head of the Norwegian Information Security research laboratory (NISlab) and has 19 years of experience in ISS management, including 8 years as management consultant working in more than 100 projects worldwide.
Objectifs :
Bilan :
Publications récentes par date (2024-2019) dans le cadre du GT-AIM SSI :
Revues (rang FNEGE/ABS lors de la publication)
(2) Barlette Y., Berthevas J.-F., & Sueur I. (2024). Impacts on Employee Coping Behaviors of Opportunities and Threats Related to the Use of Shadow IT. Systèmes d’Information et Management, 29, forthcoming.
(3) Azan W., Ivanaj S., Schneider B., Gilg M. (2023). Enhancing Information Security Awareness in the Remote Work Environment: A Quantitative Exploration. Gestion 2000, forthcoming.
(2) Baillette P., Barlette Y., & Berthevas J.-F. (2022). Benefits and Risks of Shadow IT in Health Care: A Narrative Review of the Literature. Systèmes d’Information et Management, 27(2), 59-96.
(2) Richet J.L. (2022). How Cybercriminal Communities Grow and Change: An Investigation of Ad-Fraud Communities. Technological Forecasting & Social Change, 174, 121282.
(2) Barlette Y., Jaouen A., & Baillette P. (2021). Bring Your Own Device (BYOD) as Reversed IT Adoption: Insights into Managers’ Coping Strategies. International Journal of Information Management, 56(February): 1-16.
(nc) Azan W., & Gilg M. (2021). Covid 19, Social engineering et Cyberattaques. Cahiers de l’INHESJ, 50, La Documentation Française, Paris.
(2) Berthevas J-F. (2021). How protection motivation and social bond factors influence information security behavior. Systèmes d’Information et Management, 26(2), 77-115.
(2) Baillette P., & Barlette Y. (2020). Coping Strategies and Paradoxes Related to BYOD Information Security Threats in France. Journal of Global Information Management, 28(2), 1-28.
(2) Barlette Y., & Jaouen A. (2019). Information security in SMEs: determinants of CEOs’ protective and supportive behaviors. Systèmes d’Information et Management, 24(3), 7-40.
Chapitres d’ouvrages
Ismail O. (2022). Designing Information Security Culture Artifacts to Improve Security Behavior: An Evaluation in SMEs. In: Drechsler, A., Gerber, A., Hevner, A. (eds), The Transdisciplinary Reach of Design Science Research, vol 13229: 319–332, Springer, USA.
Baillette P., & Barlette Y. (2021). Coping Strategies and Paradoxes Related to BYOD Information Security Threats in France. In: Information Resources Management Association (Ed.), Research Anthology on Securing Mobile Technologies and Applications: 527-558, IGI Global, USA.
Bibliographie indicative du GTAIM :
Burns, A.J., Roberts, T.L., Posey, C., Lowry, P.B., & Fuller, B. (2022). Going beyond deterrence: A middle-range theory of motives and controls for insider computer abuse. Information Systems Research, 34(1), DOI: 10.1287/isre.2022.1133.
Chen, Y., Galletta, D., Lowry, P.B., Luo, X., Moody, G.D., & Willison, R.L. (2021). Understanding inconsistent employee compliance with information security policies through the lens of the extended parallel process model. Information Systems Research, 32(3), 1043-1065.
Cram, W.A., D’Arcy, J., & Proudfoot, J.G. (2019). Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance. MIS Quarterly, 43(2), 525–554.
Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future directions for behavioral information security research. Computers & Security, 32, 90-101.
Feng, G., Zhu, J., Wang, N., & Liang, H. (2019). How Paternalistic Leadership Influences IT Security Policy Compliance: The Mediating Role of the Social Bond. Journal of the Association for Information Systems, 20(11), 1650-1691.
Floyd, D.L., Prentice-Dunn, S., & Rogers, R.W. (2000). A meta-analysis of research on protection motivation theory. Journal of Applied Social Psychology, 30(2), 407-429.
Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: an empirical study. MIS Quarterly, 34(3), 549-566.
Lazarus, R.S., & Folkman, S. (1984). Stress, appraisal, and coping. New York: Springer Publishing Company.
Liang, H., Xue, Y., Pinsonneault, A., & Wu, Y. (2019). What Users Do Besides Problem-focused Coping When Facing IT Security Threats: An Emotion-Focused Coping Perspective. MIS Quarterly, 43(2), 373-394.
Lowry, P.B., Moody, G.D., Parameswaran, S., & Brown, N.J. (2023). Examining the differential effectiveness of fear appeals in information security management using two-stage meta-analysis. Journal of Management Information Systems, (forthcoming).
Mou, J., Cohen, J.F., Bhattacherjee, A., & Kim, J. (2022). A Test of Protection Motivation Theory in the Information Security Literature: A Meta-Analytic Structural Equation Modeling Approach. Journal of the Association for Information Systems, 23(1), 196-236.
Trinkle, B.S., Warkentin, M., Malimage, K., & Raddatz, N. (2021). High-Risk Deviant Decisions: Does Neutralization Still Play a Role?. Journal of the Association for Information Systems, 22(3), 797-826.
Vance, A., Siponen, M.T., & Straub, D.W. (2020). Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures. Information & Management, 57(4), 103212.
Witte, K., & Allen, M. (2000). A meta-analysis of fear appeals: Implications for effective public health campaigns. Health Education & Behavior, 27(5), 591–615.
Yazdanmehr, A., Li, J., & Wang, J. (2022). Does stress reduce violation intention? Insights from eustress and distress processes on employee reaction to information security policies. European Journal of Information Systems, DOI: 10.1080/0960085X.2022.2099767.
Membres du GTAIM (15)
Sophie Agulhon sophie.agulhon@univ-paris8.fr
Serge Amabile serge.amabile@univ-amu.fr
Wilfrid Azan wilfrid.azan@univ-lyon2.fr
Yves Barlette y.barlette@montpellier-bs.com
Jean-François Berthevas univjfb@gmail.com
Wafa Bouaynaya bouaynayaw@excelia-group.com
Alain Cucchi alain.cucchi@univ-reunion.fr
Eric Di Benedetto eric.di-benedetto@univ-reunion.fr
Ana-Maria Florescu ana-maria.florescu@etu.univ-amu.fr
Laura Georg Schaffner laura.g.schaffner@em-strasbourg.eu
Olfa Ismail ismailolfa@gmail.com
Jean-Fabrice Lebraty jean-fabrice.lebraty@univ-lyon3.fr
André Mourrain andre.mourrain@univ-brest.fr
Emilie Péneloux emilie.peneloux@etu.u-pec.fr
Jean-Loup Richet jean-loup.richet@iae.pantheonsorbonne.fr
[1] Informatique de l’ombre / Informatique parallèle : utilisation de systèmes informatiques, d’appareils, de logiciels, d’application et de services sans approbation explicite, voire interdiction, du département informatique.
[2] Security Education, Training and Awareness.