Bihevioralni pristup upravljanju sigurnosnim rizicima: rezultati empirijskog istraživanja

Behavioral Approach to Security Risk Management: Empirical Research Results

Authors

  • Ivana Pokrajčić "Dr. Franjo Tuđman" Defence and Security University, Zagreb, Croatia

DOI:

https://doi.org/10.22598/pi-be/2025.2.37620

Keywords:

upravljanje rizicima, sigurnosni rizici, bihevioralna analiza, iso 31000

Abstract

Svrha: U kontekstu rastućeg interesa za integraciju psiholoških i socijalnih dimenzija u upravljanje rizicima, cilj rada je analizirati međuodnos između bihevioralnih čimbenika i prihvaćenosti norme ISO 31000:2018. Metodologija: Teorijski okvir temelji se na teoriji planiranog ponašanja (TPB), uzimajući u obzir utjecaj stavova, subjektivnih normi i percipirane kontrole ponašanja na sigurnosno orijentirano ponašanje zaposlenika. Empirijsko istraživanje provedeno je na uzorku od 125 ispitanika, a analizirani su vanjski čimbenici (pritisak nadređenih, radna okolina) i unutarnji čimbenici (sigurnosna osviještenost, percipirana učinkovitost i izloženost rizicima) u odnosu na prihvaćenost norme. Rezultati: Istraživanje pokazuje statistički značajnu pozitivnu povezanost između utjecaja radne okoline i prihvaćenosti norme, dok je u slučaju pritiska nadređenih utvrđena negativna povezanost, što upućuje na otpor zaposlenika prema autoritarnom pristupu. Nalazi dodatno potvrđuju važnost sigurnosne kulture i pozitivne organizacijske klime u poticanju usklađenosti sa sigurnosnim normama. Praktične implikacije: Dobiveni rezultati pružaju empirijsku osnovu za redefiniranje organizacijskih strategija upravljanja rizicima kroz integraciju bihevioralnih uvida u institucionalne okvire, s ciljem povećanja učinkovitosti i održivosti sustava sigurnosnog upravljanja. Originalnost/vrijednost: Rad doprinosi literaturi empirijskim dokazima o ulozi bihevioralnih čimbenika u procesu prihvaćanja norme ISO 31000:2018, naglašavajući potrebu uključivanja psiholoških aspekata u razvoj organizacijske sigurnosne kulture i suvremenih praksi upravljanja rizicima.

References

Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211. https://doi.org/10.1016/0749-5978(91)90020-T

AlKalbani, A., Deng, H., Kam, B., & Zhang, X. (2017). Information security compliance in organizations: An institutional perspective. Data and Information Management, 1(2), 104–114. https://doi.org/10.1515/dim-2017-0006

Blythe, J. M., Coventry, L., & Little, L. (2015). Unpacking security policy compliance: The motivators and barriers of employees’ security behaviors. In Proceedings of the Eleventh Symposium on Usable Privacy and Security (SOUPS 15), 103–122. USENIX Association, USA. https://web.archive.org/web/20170802213747/https://www.usenix.org/conference/soups2015/proceedings/presentation/blythe

Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., & Boss, R. W. (2009). If someone is watching, I’ll do what I’m asked: Mandatoriness, control, and information security. European Journal of Information Systems, 18(2), 151–164. https://doi.org/10.1057/ejis.2009.8

Briggs, P., Jeske, D., & Coventry, L. (2017). Behavior change interventions for cybersecurity. In L. Little, E. Sillence, & A. Joinson (Eds.), Behavior change research and theory: Psychological and technological perspectives, 115–136. Elsevier Academic Press. https://doi.org/10.1016/B978-0-12-802690-8.00004-9

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548. https://doi.org/10.2307/25750690

Chongrui, L., Wang, C., Wang, H., & Niu, B. (2020). Influencing factors of employees’ information systems security policy compliance: An empirical research in China. E3S Web of Conferences, 218, 04032. https://doi.org/10.1051/e3sconf/202021804032

Cram, W. A., D’Arcy, J., & Proudfoot, J. G. (2019). Seeing the forest and the trees: A meta-analysis of the antecedents to information security policy compliance. MIS Quarterly, 43(2), 525–554. https://doi.org/10.25300/MISQ/2019/15117

Giovanetti, E., Righi, E., Lauriola, P., Ghinoi, A., & Soldati, M. (2021). Disaster risk reduction and interdisciplinary education and training. Progress in Disaster Science, 10. 100165. https://doi.org/10.1016/j.pdisas.2021.100165

Gratian, M., Bandi, S., Cukier, M., Dykstra, J., & Ginther, A. (2017). Correlating human traits and cybersecurity behavior intentions. Computers & Security, 73, 345–358. https://doi.org/10.1016/j.cose.2017.11.015

Herath, T., & Rao, H. R. (2009a). Encouraging information security behaviors in organizations: Role of penalties, pressures, and perceived effectiveness. Decision Support Systems, 47(2), 154–165. https://doi.org/10.1016/j.dss.2009.02.005

Herath, T., & Rao, H. R. (2009b). Protection motivation and deterrence: A framework for security policy compliance in organizations. European Journal of Information Systems, 18(2), 106–125. https://doi.org/10.1057/ejis.2009.6

Kaymaz, K. (2020). The analysis of the relations among normative beliefs, self-efficacy, and intention to comply within the frame of information security policies. The Journal of Industrial Relations & Human Resources, 22(1), 1–20. Retrieved from: https://www.isguc.org/download.php?id=738&tk=327554bce8b05e8d14b072b4e650af67&f=738.pdf&user=&lg=tr

Koohang, A., Anderson, J., Nord, J. H., & Paliszkiewicz, J. (2020). Building an awareness-centered information security policy compliance model. Industrial Management & Data Systems, 120(2), 231–247. https://doi.org/10.1108/IMDS-07-2019-0412

Lalonde, C., & Boiral, O. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management, 14(4), 272–300. https://doi.org/10.1057/rm.2012.9

Lounsbury, M., & Wang, M. S. (2020). Into the clearing: Back to the future of constitutive institutional analysis. Organization Theory, 1(1). https://doi.org/10.1177/2631787719891173

Merhi, M., & Ahulwalia, P. (2019). Examining the impact of deterrence factors and norms on resistance to Information Systems Security. Computers in Human Behavior, 92, 37-46. https://doi.org/10.1016/j.chb.2018.10.031

Olechowski, A., Oehmen, J., Seering, W., & Ben-Daya, M. (2016). The professionalization of risk management: What role can the ISO 31000 risk management principles play? International Journal of Project Management, 34(8), 1568–1578. https://doi.org/10.1016/j.ijproman.2016.08.002

Pattinson, M., Butavicius, M., Parsons, K., McCormac, A., & Calic, D. (2015). Factors that influence information security behavior: An Australian web-based study. Lecture Notes in Computer Science, 9190, 231–241. https://doi.org/10.1007/978-3-319-20376-8_21

Pokrajčić, I. (2025). Determinants of the security risk management in middle and large companies in the segment of the national critical infrastructure of the Republic of Croatia in accordance to ISO 31000:2018. [Doctoral dissertation, University of Zagreb]. https://urn.nsk.hr/urn:nbn:hr:148:222681

Pokrajčić, I., & Lazibat, T. (2025). The correlation between the implementation of ISO 31000:2018 and the maturity of security risk management in companies from the national critical infrastructure sector of the Republic of Croatia. Ekonomska Misao i Praksa, 34(2). 369-394. https://doi.org/10.17818/EMIP/2025/26

Scolobig, A., Prior, T., Schröter, D., Jörin, J., & Patt, T. (2015). Towards people-centred approaches for effective disaster risk management: Balancing rhetoric with reality. International Journal of Disaster Risk Reduction, 12, 202–212. https://doi.org/10.1016/j.ijdrr.2015.01.006

Siponen, M., & Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487–502. https://doi.org/10.2307/25750688

Sommestad, T., Karlzén, H., Nilsson, P., & Hallberg, J. (2016). An empirical test of the perceived relationship between risk and the constituents severity and probability. Information and Computer Security, 24(2), 194–204. https://doi.org/10.1108/ICS-01-2016-0004

Straub, D. W. (1990). Effective IS security: An empirical study. Information Systems Research, 1(3), 255–276. https://doi.org/10.1287/isre.1.3.255

Talib, F., & Siddique, J. (2015). Identification of total quality management enablers and information technology resources for ICT industry: A Pareto analysis approach. International Journal of Information Quality, 4(1), 18–41. https://doi.org/10.1504/IJIQ.2015.071675

Warrington, C., Syed, J., & Tappin, R. (2021). Personality and employees’ information security behavior among generational cohorts. Computer and Information Science, 14(1), 26–36. https://doi.org/10.33423/jop.v22i3.5647

Downloads

Published

13.12.2025

Issue

Vol. 19 No. 2 (2025): Poslovna izvrsnost - Business Excellence

Section

Preliminary Communications

Categories

License

Copyright (c) 2025 Ivana Pokrajčić

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

All articles are published under the Creative Commons Attribution-NonCommercial 4.0 International License (CC BY-NC 4.0). This license permits: Non-commercial use, sharing, and reproduction in any medium, proper attribution to the original authors and source.

Authors retain full copyright of their work while granting the journal the right of first publication.

The journal is published by the Faculty of Economics & Business, University of Zagreb, which also acts as the copyright holder.

© The Author(s). Published by Poslovna izvrsnost – Business Excellence.