The Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.11/WG11.n, 2009

Program Chairs: Merrill Warkentin and Robert Willison

Conference Proceedings

Proceedings Editor: Anthony Vance

Leveling the Playing Field: The Influence of Self-View and Risk Domain Frame on Computer User Security-Related Optimistic Bias and Intentions

Catherine L. Anderson, Joydeep Srivastava, Ritu Agarwal

Contracting a computer virus can pose significant financial and social risks for consumers. Although many of the risks associated with online activity can be mitigated if users practice safe online behavior, surprisingly large numbers of users still do not take basic precautionary steps on a consistent basis. Studies consistently show that many users demonstrate an optimistic bias and believe they are less vulnerable to a security violation than the average other person. As a result, they are more likely to ignore the risks associated with unsafe online behavior. Using an experimental methodology, this study examines how appropriate message cues can be used to minimize user optimistic bias and increase security intentions. Building on prior research demonstrating the influence of chronic self-view on optimistic bias, the study establishes the interactive influence of risk domain frame (stressing either financial risks associated with recovering from viruses such as costs related to paying for technical support or reduced productivity or social risks such as embarrassment or disapproval related to unwittingly spreading viruses to friends) and situationally primed self-view on optimistic bias.

Information Security Control Decision Theory: Management Reasoning in Threes

Richard Baskerville

The purpose of this paper is to elaborate a fundamental theory of information security management that establishes three interrelated forms of security reasoning to explain research and practice in information security. Reasoning about information security arises as exposure control reasoning, ethical control reasoning, and developmental control reasoning. Exposure control reasoning fastens on the edges that exist because information assets are often naturally exposed to threats. Exposure reasoning seeks to substitute asset-control edges and control-risk edges for asset-risk edges. Ethical control reasoning arises in the need to make rational decisions about controls adoption. As with other ethical reasoning settings, there are varying forms of such reasoning, the basic forms include utilitarian and deontological reasoning about controls decisions. Utilitarian control reasoning depends on a greatest-good kind of rationale in grounding a decision about controls adoption. Deontological control reasoning depends on a rationale regarding duty to a moral law. In this kind of reasoning, controls are adopted because rules of conduct dictate certain degrees of protection for information and information systems. Developmental control reasoning centers the development of security in relation to the development of the information system being secured. Each of these forms of reasoning is inhabited by concerns about system complexity, which can rise as a result of security control decisions.

Familiarity Breeds Content: How Fear of Cybercrime Influences Individual Precaution-Taking Behavior

Scott R. Boss, Laurie J. Kirsch, Ingo Angermeier, R. Wayne Boss

With the growth of the Internet has come the birth of cybercrime. The incidence of illegal Internet activity, including identity theft, fraud, and virus infections, has risen dramatically over the years. As a response to these threats, organizations have implemented extensive precautionary measures (firewalls, anti-spy software, and organizational security controls, etc.) intended to help individuals secure their computer hardware and software assets. Unfortunately, studies suggests that many individuals are unaware of security issues and many fail to take advantage of precautionary measures to adequately protect their computer assets or even bypass extant measures completely.

The goal of this study is to examine why individuals do or do not take precautions to secure their systems from cybercrime. We draw on the fear of crime literature to extend an earlier model that examined the influence of managerial actions on individual precaution taking behavior. In this study, we investigate how the direct and indirect experiences of individuals with cybercrime influence their perceptions of both the likelihood and impact of a cybercrime or cyber-security incident, and how these perceptions in turn affect their precaution taking behavior. We test our model using survey data of 1671 respondents from a large medical center. The findings suggest that experiences related to cybercrime influence perceptions that an individual has about the likelihood of becoming a victim of cybercrime as well as their perceptions of the impact of a cybercrime. These perceptions in turn affect an individual's precaution taking behavior, although not always in the ways expected. The implications of these results are discussed, and suggestions for future research are offered.

The Multifaceted Nature of Security Culture and Its Influence on End User Behavior

John D'Arcy, Gwen Greene

It is recognized among information security specialists that end users have a strong influence on the effectiveness of organizational security programs. As such, there has been increased attention toward understanding the determinants of end user security-related behavior in the workplace. Empirical studies have examined various factors such as perceived sanctions, influence of co-workers, coping mechanisms, and individual and situational differences, to name a few. An area that has received less attention is the influence of organizational security culture. Researchers have pointed out that security culture is an important factor in maintaining an adequate level of information security in organizations and have even asserted that only a significant change in security culture can reduce the number of security breaches experienced. Despite claims regarding the benefits of security culture, there is little empirical work that investigates the relationship between security culture and end user security behavior. This study investigates the relationship between security culture and two user behaviors: security policy compliance and security extra-role behavior. Survey data was collected from 105 computer using professionals in organizations located throughout the mid-Atlantic U.S. region. The results provide strong evidence that security culture contributes to compliant user behavior. Perhaps even more interesting, the results suggest a strong association between security culture and more proactive security behaviors (i.e., extra-role behaviors) such as attending voluntary security training and promoting safe computing practices among co-workers. Implications for the research and practice of information security are discussed.

Recognising and Addressing Barriers to eSafety and Security Awareness

Steven Furnell, Rossouw von Solms, Andy Phippen

Many citizens now rely upon online services, and it is certain that this reliance will only increase in the future. At the same time, they frequently lack a solid appreciation of the related safety and security issues, and can therefore be considered to be missing out on an essential aspect of awareness to protection themselves in everyday life. Indeed, it is fair to say that while users are often concerned about online threats, it would be stretching the point to claim that they are fully aware of the problems. Thus, rather than actually protecting themselves, many will simply accept that they are taking a risk. This represents a problem with clear impacts for both personal and workplace usage of IT. In their personal activities, users will leave themselves and the systems more exposed, as well as potentially introducing risks to others through their actions. In the workplace, the challenge associated with tasks such as security management will be significantly shaped by the attitudes and practices of the user base being managed.

This paper examines the problem of establishing end-user eSafety awareness, and proposes means by which related issues can be investigated and addressed. Recognising that long-term attitudes and practices will be shaped by early experiences with the technology, it is particularly important to address the issue early and improve awareness amongst young people. Indeed, research shows that current practices within this community are frequently worrying, with users demonstrating scant regard for the protection of their own personal data and little concern about the threats they may encounter. The clear risk here is that cavalier attitudes established now will engender similarly lax practices in later life. However, the problem is unlikely to be addressed via the approaches that would traditionally be applied with adult users. As such, the paper examines information gathering and awareness-raising strategies drawing from qualitative methodologies in the social sciences, whose pluralistic approach can be effectively applied within school contexts. Supporting evidence is provided from the authors' own research, in order to demonstrate both the challenges to be overcome and the format that the awareness-raising methods may take.

Forging an Effective Information Security Governance Program A Case Study of a Multinational Organization

Tejaswini Herath, Manish Gupta, H.R. Rao

In order to preserve the integrity, availability and confidentiality of an organization's information assets, a comprehensive portfolio of security policies and technologies needs to be deployed and supported. However, it has been evident that deploying sophisticated information security management tools and technologies are not enough. To align information security objectives with business and organizational goals, organizations are increasingly adopting comprehensive information security governance structures and processes. Through a structured security program, policies are created and enforced for effective enterprise-wide deployment of information systems and technologies. While organizational security policies have been around for a while, recent growth in recognition of security governance has been fueled by 1) ever changing compliance requirements, 2) evolving threat landscape and increasing complexity of security management and 3) emergence of best practices, standard frameworks and guidelines for security governance such as ITIL (Information Technology Infrastructure Library), ISO 17799 (Information Technology Code of Practices for Information Security Management) and COBIT (Control Objectives for Information and related Technology), amongst others.

We believe that since security governance in most organizations is an important and critical focus and the organization in this case (ABC) adopted ITSM (IT Service Management) for security management (Table 2) the results of this case study will be of general interest in the area of information security governance. The findings of this study can aid IT executives and security managers understand critical success factors in developing and maintaining an effective information security governance program and make informed decisions about security investments, policies and controls. The study aims to present some recent mechanisms and techniques that senior managers can use as a roadmap to initiate or review their security plans and policies; and audit their implementation using ABC's implementations as exemplar practices.

Why Individuals Abuse Computer Systems in Organizations: Perspectives from Multiple Theories

Qing Hu, Tamara Dinev,Zhengchuan Xu, Hong Ling,

Computer crimes and computer abuses against corporate computer systems have increasingly become a major challenge to information security management in the Internet-enabled global economy and society. Understanding the sources of incentives and deterrents as well as factors that moderate and mitigate such criminal and abusive behavior has been a focus of academic research for over two decades. Information security scholars have largely drawn on multiple theoretical frameworks and persecutions in criminology literature to develop their models and theories of computer abusive behavior. In this study, we attempt to develop inter-related but progressively comprehensive models that integrate three main stream criminological theories, general deterrence, rational choice, and individual propensity. We hypothesize that while the main decision process leading to the abusive behavioral intention can be explained by the rational choice theory, external objective deterrence could significantly mitigate the subjective cost-benefit analysis assumed in the rational choice model by individuals. We further contend that individual propensity, a set of relatively stable personality traits, could moderate the relationships between rational choice constructs and eventual abusive intentions. By integrating these aspects into one seamless theoretical model, we hope to provide better understanding of the computer abusive behavior and provided insights for improving information security management practices.

National Culture and Information Privacy: The Influential Effects of Individualism and Collectivism on Privacy Concerns and Organizational Commitment

Allen C. Johnston, Merrill Warkentin, Xin Luo

Organizational leaders seek to establish a safe information environment, including perimeter controls against external threats and also internal controls to monitor for intentional or accidental internal threats. Are individuals who are more oriented toward individualistic perceptions more likely to reject or resent the use of such controls designed to facilitate organizational security? A related question is whether national culture, specifically the cultural environment within East Asian countries such as China, may promote a predominance of individuals who are more oriented toward collectivist perceptions such that they may be more willing to relinquish some degree of individual privacy in order to increase overall organizational security. A large sample of working professionals in the insurance and other industries will be surveyed in China and in the United States to address these research questions, and the results will be presented and discussed at the conference.

Beyond Privacy and Security: Ethical Dilemmas Resulting From Emergent Uses of Electronic Health Information

Amy W. Ray, Wilson Wong, Susan Newell, Jesse Dillard

Numerous countries are engaging in the development of national electronic health record systems in efforts to reduce administrative costs and healthcare treatment errors while improving healthcare quality. To date, most of the research related to these systems has focused on measuring or maximizing expected benefits or on related privacy and/or security concerns. Yet electronic health systems have social and organizational consequences that go beyond improved decision-making and task-performance and reports of rising privacy and security breaches of electronic health data are indicators that we also are not doing enough to protect this information. Beyond concerns for privacy and security, a number of additional ethical dilemmas are emerging that are not being addressed by existing management and legislative controls. These under- recognized ethical dilemmas are the primary focus of this research. More specifically, in this paper, we address the ethical tensions among different stakeholder groups in relation to the use of patient data from electronic health records (EHR) and demonstrate that evolution in use of EHR data increases privacy and security risks and that the complexity of these systems and variety of users and uses makes it more difficult to identify unethical behavior. We further consider factors that may be contributing to the creation of these ethical tensions and discuss how these tensions might be managed in ways to benefit the individual as well as the broader society.

Motivations for Employee Computer Crime: Understanding and Addressing Workplace Disgruntlement through the Application of Organisational Justice

Robert Willison, Merrill Warkentin

Within the IS security field, employee computer crime has received increased attention. Indeed, a number of researchers have focused their attention on the behaviour of the 'insider', both prior to and during the perpetration. Despite this, there is currently an absence of academic IS insight into the problem of workplace disgruntlement and how this may motivate employee computer crime. To address this deficiency, this paper draws on a body of knowledge called 'organisational justice', which examines how perceptions of fairness are formed. Under this umbrella term are four constructs which relate to different organisational phenomena and influence employees' fairness perceptions. It is believed that these constructs, entitled distributive, procedural, interactional and informational justice, and the theories which underpin them, can not only assist in understanding, but also in mitigating disgruntlement. To illustrate this, a case of employee computer sabotage is analysed, highlighting which forms of organisational justice occurred, and how they could have been addressed. The discussion section notes how mitigating disgruntlement provides a new area for safeguard implementation, with the final part of the paper discussing the conclusions and potential for future research.