IFIP 2023
The 2023 Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.11/WG11.13
Program chairs: Jacques Ophoff, Alexandra Durcikova, Justin Giboney
Conference Proceedings
Proceedings Editor: Anthony Vance
Download all DRW 2023 papers.
Paper 1: What Values should Online Consent Forms Satisfy? A Scoping Review.
Karen Renaud, Paul van Schaik
Background: Online users are presented with consent forms frequently, as they visit new websites. Such forms seek consent to collect, store and process a web user’s data. The forms contain a wide range of statements that attempt to persuade people to grant such consent.
Aim: In this paper, we review the literature to determine what researchers say about the human values/needs online consent forms should satisfy.
Methods: We carried out a scoping review of the literature on consent forms, in order to understand the research in this area. We conclude with a value-based model of online consent.
Results: Our investigation revealed six distinct human values, and their associated value creators, that online consent forms ought to satisfy in order to support informed consent-related decision making.
Conclusions: We conclude with a suggestion for future work to validate the proposed model.
Paper 2: Using Subtle Message Framing to Shift Privacy Decisions.
Da Ma, Xixian Peng, Matthew J Hashim, Qiuzhen Wang
The design of privacy settings plays a crucial role in the interactions between users and service providers. Our research examines whether, how, and when positive and negative message framing influence users’ decision making in privacy settings via two experimental studies. Study 1 shows that positive framing performs better in persuading users to grant permission requests than negative framing, and the information processing fluency accounts for this effect. Study 2 further identifies the moderating role of privacy salience, that is, the framing effect disappears after enhancing privacy salience. Overall, our research clarifies the impact of message framing on privacy behaviors, reconciles some of the inconsistent findings in framing effects, and suggests a potential way to integrate the normative and behavioral theoretical lens in previous IS privacy research using message framing as an entry point. Our findings also provide guidance for policymakers and practitioners regarding how to frame messages in privacy settings.
Paper 3: Personality Facets and Behavior: Security Decisions under Competing Priorities.
Sanjay Goel, Jingyi Huang, Alan Dennis, Kevin Williams
Half of all security breaches can be traced to employees not following security procedures even though they do not intend to cause harm. We theorize that this problem is not a lack of security knowledge nor willful disobedience, but rather employees making poor security decisions when trying to balance the competing priorities of their primary responsibilities against the productivity impediments that security compliance creates. We investigated the effects of security knowledge and seven personality facets from the Five Factor Model to see if there were predictable patterns in the way employees with different personalities made security decisions when faced with competing priorities. Security knowledge had no effect, suggesting that we cannot train our way out of security problems. However, six of the personality factors together had a medium effect on security decision making in situations where security compliance competes with other responsibilities. Higher dutifulness, cautiousness, achievement striving, and self-consciousness led to higher quality security decisions; higher morality led to lower quality decisions; assertiveness had mixed effects; and modesty had no effect.
Paper 4: An Examination of How Security-Related Stress, Burnout, and Accountability Design Features Affect Security Operations Decisions.
Mary Grace Kozuch, Adam Hooker, Philip Menard, Tien N Nguyen, Raymond Choo
Security analysts are under increased pressure to perform protective activities for organizations. Even in contexts where analysts are assisted by artificial intelligence, increased pressure is placed on analysts to successfully perform their duties, including the competing efforts of balancing the protection of organizational information security and ensuring information privacy of consumers. Although system accountability features are shown to improve security behaviors among employees, contextual and external pressures could affect the influence of such features. Security-related stress (SRS) and burnout may also contribute to the perceived demands on security analysts in modern threat landscapes. In this manuscript, we propose a study where we examine the competing forces that may influence the decision-making capabilities of a security analyst working as a “human-in-the-loop” within an AI-enhanced security system. We will use the factorial survey method and multilevel analysis to detect the potential effects of accountability, threat severity and probability, and data sensitivity at the situational, decision-making level, as well as the influence exerted by SRS and burnout at the employee level. We also discuss potential implications of our work.
Paper 5: Extending the Unified Model of ISP Compliance: The Role of Meso-level Factors.
Dawei Wang, Alexandra Durcikova, Alan Dennis
Unified model of information security compliance (UMISPC) integrates various theoretical models explaining employees’ intention to comply with information security policies (ISP) (Moody et al. 2018). The UMISPC reduces many similar constructs to 11 micro-level factors. Since the introduction of UMISPC, several studies identified new constructs salient to ISP compliance at the meso- and macro-levels. This study aims to extend the well-established UMISPC by incorporating newly identified meso- and macro-level constructs. In doing so, we propose that a substantial disparity in ISP compliance exists among meso-level predictors. Expected contributions are discussed.
Paper 6: Bosses Behaving Badly: Managers Committing Computer Abuse.
Laura Amo
The zero-trust model for information security assumes that no network or person can be fully trusted, and it has been advocated for mitigation of insider threats. Managers, however, tend to be regularly entrusted with extensive access to organizational information and systems, creating more opportunity for insider behavior. I draw on theories of power and criminology to theorize that managers are more likely to engage in computer abuse behavior because they have greater opportunity/access due to having more legitimate power in the organization. In the present study (n = 437 working adults), I examine aspects of managerial status including level of management and number of supervisees and determine that both are positively related to computer abuse. I determine that managers are more likely to engage in computer abuse compared to non-managers, and that the more employees that a manager supervises, the more likely they are to engage in this deviant behavior. I then go on to establish a causal chain in the relationship between managerial status and computer abuse through managerial need for power; managers are more likely to have a strong need for power which is related to computer abuse. This work contributes to the research on insider threats, and has direct implications for practice.
Paper 7: Encouraging Peer Reporting of Information Security Wrongdoings: A Normative Ethics Perspective.
Reza Mousavi, Adel Yazdanmehr, Jingguo Wang, Fereshteh Ghahramani
This paper addresses the need for additional control mechanisms for reducing the risk of insider threats in organizations. Specifically, it explores the potential benefits of peer reporting of information security policy (ISP) violations, a topic that has not received much attention in the information security literature. Using normative ethics dimensions, namely virtue, deontological, and consequentialism ethics, this study investigates the factors that influence employees' decisions to engage in peer reporting. It presents a research model in which the deontological perspective, emphasizing the employees' role responsibilities, and the consequentialist perspective, emphasizing the potential outcomes of reporting, can be integrated with the virtue ethics perspective of personal responsibility to provide a comprehensive understanding of the motivations for peer reporting of ISP wrongdoings. It proposes that personal responsibility to report, organizational support regarding peer reporting, and perceived effectiveness of reporting are key factors influencing peer reporting behavior. The study aims to collect data from 300 employees across different industries and organizations to test its hypotheses. The findings of this study offer insights into the complex interplay of personal and organizational factors that influence peer reporting behavior.
Paper 8: Predicting Game Cheating Behavior Through the Social Network.
Richard Alvarez, Paras Bhatt, Dorde Klisura, Kim-Kwang Raymond Choo
Cheating behavior is a major security threat for online gaming, ranging from a minor unfair advantage in game to completely disabling victim systems and identity theft. In this paper, we propose a social network analysis study on Steam users banned for cheating on the online platform. We will collect the identified cheater's data from a social network with a depth of n+3 and identify user descriptive characteristics that are correlated with the contagion effect of cheating behavior. These characteristics will then serve as inputs to develop a cheating probability ratio that will be tested on future user social networks.
Paper 9: Analyzing Online Media Platforms for Hacktivist Group Organization and Proliferation.
Quincy Taylor, Derek L Hansen, Hridoy Sankar Dutta, Justin Giboney
Technology assists communication and coordination. Social media platforms increase the reach of individuals, but also increase the need to demand attention. Hacktivist groups thrive on attention. This research seeks to understand how hacktivists gain attention by following the Telegram messages of one hacktivist group. We look at the content and focus of messages to the group and monitor how members respond through views, reactions, and forwards. We found that topics on nationalism, military, cyber increased user activity as well as whether a link, photo, webpage, or document was present in the message.
Paper 10: An empirical account of how scamming costs and life-stage influence desistance and recidivism among online scammers.
Alain Claude Tambe Ebot
Social engineering attacks such as Advance Fee Fraud (AFF) scamming and phishing are serious societal problems. Digital technologies are enabling scammers to produce newer and more sophisticated storylines for defrauding overseas buyers. Reports from consumer organizations and law enforcement agencies associate AFF scams with huge financial losses affecting millions of organizations and individuals yearly. As new technologies emerge, payment methods such as Zelle, CashApp, and gift cards make tracking and proving that a crime occurred challenging. Despite calls in several top journals for more active offender research in IS, research examining criminal desistance (the process of stopping criminal behavior) and criminal recidivism (the process of relapsing into a behavior following a period of abstention) among active offenders is mostly done by criminologists and sociologists. Following a preliminary analysis of interview data from online scammers, we identified (1) scamming costs as an overarching attribute for explaining scamming desistance and (2) life-stage as the core attribute for recidivism among online scammers. Our findings and contributions will demonstrate and highlight why IT and non-IT scamming costs influence recidivism and when they do not.
Paper 11: Mining Mobile Security and Privacy Topics from Users' VPN App Reviews
AJ Burns, Clay Posey
As individuals' reliance on mobile devices has increased, mobile privacy-enhancing technologies (mPET) have grown in popularity. We contend that these apps provide an important new opportunity for security and privacy researchers to complement their more traditional study of security and privacy issues. To help shed light on individuals' privacy perceptions via their download and use of privacy-enhancing technologies, we suggest that researchers examine user-generated reviews of mPET apps such as VPNs. In this paper, we discuss an early stage research project that analyzes mPET reviews for security and privacy insights. Using a large set of VPN app reviews, we first generated a binary occurrence word matrix and manually evaluated the reviews for relevant insights. Next, to obtain a more complete understanding of contextual information within the VPN reviews, we turned to the Latent Dirichlet Allocation (LDA) algorithm. Based on our exploratory analyses, we believe that we have been able to uncover several important opportunities for security and privacy researchers which we discuss. Although we focus our textual analysis on a specific form of mPET, there are a variety of apps with millions of reviews that may contain novel insights for security and privacy researchers.
Paper 12: Mobile Applications: Exploring User Decisions Related to Passive and Exploitative Application Permissions.
Deanna House
Research surrounding mobile applications and privacy has taken a variety of perspectives into consideration. However, research on mobile application permissions is continuously evolving as the permissions have evolved. The user is responsible for making permission selection decisions when installing an application. This is particularly impactful when considering mobile application trends over time, as is demonstrated and discussed in this research. First, permissions for top 50 free and top 50 paid applications were collected during three different points in time and three separate versions of Android OS in order to explore permission trends for free and paid applications. This research in progress paper aims to explore the effects that exploitative versus passive permissions and application category (free versus paid) have on a user’s intention to install a mobile application. Additionally, the terms exploitative and passive permissions are defined, with a planned experiment and survey.
Paper 13: Impact of Cyber Hygiene Behavior on Target Suitability using Dual Systems Embedded Dual Attitudes Model.
Harsh Parekh, Andrew Schwarz
While the Covid-19 pandemic has emphasized the significance and difficulties of maintaining self-hygiene, the lack of attention given to cyber hygiene in mainstream cyber security literature has become increasingly apparent. Organizational leaders and industry experts in the security domain are urging to make this precautionary behavior a central focus against ever-rising security needs. In this article, we construct an understanding of cyber hygiene from the extant literature. Cyber Hygiene behavior in individuals could be habitual or self-controlled. First, we use the concept of dual systems theory to navigate the two pathways. Second, this research situates that such non-obligation behaviors are subjected to two competing attitudes that can exist simultaneously. Thus, we model dual attitudes within a reflexive and reflective systems framework (Dual Systems Theory). This combined model explains individuals' contradictory actions to their beliefs. Third, we seek to understand the impact of cyber hygiene behavior on target suitability. Overall, the research model explains individuals' influence of attitudes toward cyber hygiene practices can explain their likelihood of getting attacked. This research promises a holistic understanding of cyber hygiene behaviors from antecedents to its consequence.
Paper 14: The Youth Cybersecurity Concepts Instrument (YCCI): Developing a Scale for the GenCyber Cybersecurity Concepts.
Justin Giboney, Ersin Dincelli, Geoff Wright, Quincy Taylor, Dallin Christensen
There are many efforts to increase the cybersecurity workforce. GenCyber is the largest sponsor of cybersecurity youth camps, hosting over 160 summer camps a year. The goal of GenCyber is to: (1) Ignite, sustain, and increase awareness of K12 cybersecurity content and cybersecurity postsecondary and career opportunities for participants through year-round engagement; (2) Increase student diversity in cybersecurity college and career readiness pathways at the K-12 level; and (3) Facilitate teacher readiness within a teacher learning community to learn, develop, and deliver cybersecurity content for the K-12 classroom in collaboration with other nationwide initiatives (https://www.gen-cyber.com/about/). To accomplish their goal, they have six primary cybersecurity concepts students are exposed to and learn: confidentiality, integrity, availability, defense in depth, adversarial thinking, and keep it simple. With no current way to measure knowledge of these concepts in camp attendees, this research introduces the Youth Cybersecurity Concept Instrument (YCCI). The instrument was reviewed and validated by ten cybersecurity and pedagogy experts. During a 2021 and 2022 GenCyber camp, the research team administered a pre and post YCCI to 162 camp attendees. After disaggregating the data, the research team noticed an increase in the post-camp measurement, suggesting that the YCCI effectively measures knowledge of fundamental cybersecurity concepts.
Paper 15: The "Nessa" System: Can Images from Age-Related 'Reminiscence Bumps' Help Us Separate Grown-Ups from Kids?
Chelsea Jarvie, Karen Renaud
As children increasingly operate online as independent agents, online service providers have to find ways to prevent them from going into adult-only spaces. Doing this in a privacy-preserving way is non-trivial, because most service providers require proof of identity, in order to verify a users age. We suggest benefiting from a reliable 'reminiscence bump' which occurs at a predictable time in an adult's life. Much of what occurs in this bump is retained for life, and this includes a memory of famous personages. We plan to display a number of images from the person’s stated-age reminiscence bump to test recognition ability. Their performance in this task should signal the adulthood of the user. Our studies found that participants had an accuracy rate of 79.61% when asked to identify famous figures from within their reminiscence bump, compared to an average rate of 54.98% when presented with famous figures from periods outside their ‘reminiscence bump’. We suggest ways in which this could be used as part of a privacy preserving online age assurance solution called "Nessa".
Paper 16: The Blend of Human Cognition and AI Automation: What Will ChatGPT Do to the Cybersecurity Landscape?
Hwee-Joo Kam, Chen Zhong, Hong Liu, Allen Johnston
Artificial intelligence (AI) is increasingly prevalent in the cybersecurity industry, with many incident response tools utilizing AI. Machine learning and deep learning applications are very powerful in automating data triage tasks and assisting decision making. The popularity of ChatGPT and other AI-driven chatbots further bring AI to the limelight, making many individuals question the role of AI in cybersecurity. In general, AI embodiment garners a lot of attention. Some view AI as a double-edge sword that engenders both benefits and harm to cybersecurity workers, as well as threats posed by AI being employed by threat actors. To examine how AI would influence the cybersecurity industry, we take a grounded theory approach to investigate the interactivities between human cognitions and AI automation. We argue that such interactions would eventually generate an impact on human cognitions and emotions, shedding light on cybersecurity workers' mentalities towards AI. In this manuscript we present our preliminary findings from the analysis of data collected from Reddit.
Paper 17: Critical Success Factors for Integrating Security into a DevOps Environment.
Jacques de Kock, Jacques Ophoff
Integrating security into a DevOps environment, also known as DevSecOps, can allow organisations to deliver more secure applications and services faster to market. While many publications address the theoretical benefits and challenges of security integration, there is a lack of practical insight to guide organisations towards a successful integration. As a result, many organisations fail to achieve DevSecOps due to the historical differences that hinder collaboration between teams. This study investigates the critical success factors for DevSecOps integration using a case study approach. Semi-structured interviews were held with eight senior staff members directly involved in establishing DevSecOps integration within a large organisation. Thematic analysis of data across three categories (people, processes, and technology) identified eight major themes: executive support, security champions, security training, way-of-working, governance framework, secure pipeline, automation, and technology. Based on these findings a framework is proposed to inform and guide organisations on DevSecOps integration.
Paper 18: Information Security Practices in Inter-organizational Collaboration.
Hanna Paananen
This early-stage paper considers information security practices within networks of partner organizations. This topic is currently emerging in the information security management literature as in the past, the focus has been on organizations, and partners were discussed as "external stakeholders." This paper identifies issues that arise when there is a need to manage information security issues beyond the organization's boundaries. Then it moves to examine practices of inter-organizational collaboration and their relevance to information security management. The paper concludes that this topic should be further explored, and better support should be provided for creating practices for inter-organizational information security management.
Paper 19: The Problem of CISO Turnover: Toward a Theory of CISO Turnover.
Zeynep Sahin, Anthony Vance, Jason Bennett Thatcher
Due to the increasing number of data breaches and regulations that have elevated the role of the Chief Information Security Officer (CISO), the CISO position has become critical to organizations. Unfortunately, organizations are experiencing a high rate of CISO turnover, which has negatively impacted organizations in a number of ways. Existing research on turnover has typically focused on non-executive IT staff, CEOs, or the top management team (TMT). However, the CISO role has unique characteristics that set it apart from CIOs and other C-suite executives. As a result, there is a need for research to better understand why CISOs leave their jobs. To understand the drivers of CISO turnover, we propose to conduct a mixed-methods study. First, we will conduct a field interview study with CISOs using the lens of upper echelon theory to better understand the factors that lead to turnover. Then, we will conduct a fuzzy-set qualitative comparative analysis (fsQCA) of qualitative interview data to identify configurations that influence CISO turnover and develop a middle-range theory based on upper echelon theory. This paper aims to contribute to IS research by developing a CISO turnover theory and determining configurations of factors that lead to CISO turnover intention using a set-theoretic approach.