The 2012 Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.11/WG11.13

Program chairs: John D’Arcy, Gregory Moody, and Rob Crossler

Conference Proceedings

Proceedings Editor: Anthony Vance

Download all papers here.

Paper 1: Are You Sure You are Safe? Perceived Security Protection as an Enabler of Risky IT Behavior

Merrill Warkentin, Robert Crossler, Nirmalee Malimage

Do individual computer users who have adopted precautionary behaviors or protective technologies take greater risks? Do they reduce their risk profile in one area, but compensate by assuming greater risk in another? Does the individual who observes the recommended response to a threat (as specified in a fear appeal or other persuasive communication) always inherit a reduced risk profile overall? These questions will be explored in this essay on three factors that may challenge the conventional wisdom about Protection Motivation Theory and the outcomes of security training and awareness campaigns. We introduce the Peltzman Effect and the Risk Homeostasis Hypothesis, which may cause an individual to assume greater risk after adopting a protective technology or precautionary behavior. Research questions are raised for the consideration of the information security research community.

Paper 2: Lie to Me: Gender Detection and Deception in Computer-Mediated Communication

Shuyuan Mary Ho, Merrill Warkentin, Roberto Salome

Individual users receive frequent electronic communications from systems and other users, which ask for responses or information. It is imperative that users accurately assess the identity of the message source as part of the judgment of its validity and veracity to maintain information security. Further, users often interact with each other through the use of various computermediated communications (CMC) systems, and must assess the identity of their online communications partners in the process. Without the cues present in face-to-face interactions (including para-verbal and nonverbal visual signals), one must constantly assess, through limited information channels, the identity of communication partners. In virtual environments, people not only invent new ways to communicate, but seek to understand each other differently. In this context, identifying deceptive behavior becomes even more difficult. This paper describes an ongoing study, which seeks to understand the use and detection of gender deception. Specific research questions include: how successfully do individuals imitate the opposite gender and attribute gender roles to others; how do these differ depending on their level of domain knowledge; and how can we develop a deeper understanding of the strategies people use to attribute gender deception? We discuss the context and present a research design to investigate these research questions.

Paper 3: Driving Security Through Compliance Mechanisms: The Role of Regulation inInformation Security Practices

Teju Herath

There are a multitude of regulations including accounting regulations, privacy regulations, health regulations, and financial information regulations which affect security practices in organizations. Surprisingly, however, there is very little academic research on this issue. This study focuses on accounting regulations and proposes an examination of the impact of regulation on information security practices in organizations. The Sarbanes-Oxley Act (SOX), which was passed by the United States Congress in 2002 in response to financial scandals, and similar accounting regulation in Canada, namely the National Instrument (NI) 52-109 Certification, have affected computing practices in public organizations. The emerging international accounting regulation, the International Financial Reporting Standards (IFRS), also has implications for information system practices in organizations. These regulations deal mainly with the quality of financial information and do not explicitly discuss information security. However, since most accounting records are created and maintained with information technology (IT), internal and external information security threats represent a fundamental risk to a firm’s operations and the quality of its financial and non-financial information. To the best of our knowledge, there is no comprehensive empirical study that evaluates the role of regulatory compliance in driving information security practices in organizations. This article attempts to build and test a theory that will increase our understanding of how regulations affect the security practices in organizations.

Paper 4: Why Do Some Older Adults Distrust the Web

Rajarski Chakraborty, H.R. Rao, Sharmista Bagchi-Sen, Shambu Upadhaya

Older adults are adopting the Internet in increasing numbers today. At the same time they are also experiencing uncertainties about their safety and information privacy on this medium. This paper provides a framework to understand the reasons why older adults might distrust the Web in general. Based on established theoretical frameworks about trust in online entities as well as extant crossdisciplinary literature about gerontology and information systems adoption challenges, this paper develops several hypotheses to explore security behavior issue. Using Partial Least Squares modeling on the data collected through a pilot study, the hypotheses are shown to be supported. Implications, especially for building educational programs and interventions, are then discussed for the population over the age of 55.

Paper 5: The Information Security Behavior of Home Users: Exploring a Users’ Risk Tolerance in the Framework of Protection Motivation Theory

Marc Dupuis, Robert Crossler, Barbara Endicott-Popovsky

Research examining the information security behavior of individuals with respect to risk has focused primarily on only a handful of constructs; most of which have their roots in Protection Motivation Theory (PMT). However, there is still a lot we do not know about the behavior of individuals. This study examines the information security behavior of home users in the context of one dependent variable: backing up information. The purpose of this research is largely exploratory with the goal to aid model development in this area. Therefore, an additional set of constructs in various domains are used to measure an individual’s risk tolerance and risk perception beyond those generally used in PMT. Additionally, a construct is included to account for an individual’s past experiences as it relates to the dependent variable. The results indicate that an individual’s risk tolerance and risk perception with respect to the ethical, financial, and health domains may be important predictors of how they perceive risk in the information security domain, and specifically the task of backing up data. Furthermore, past experiences related to backing up information may help explain some of an individual’s current behavior in keeping data backed up.

Paper 6: Examining Protective Behavior Strategies of IS End Users: An Exploratory Cluster Analysis

Mary Burns, Alexandra Durcikova, Jeff Jenkins

The adage, “old habits die hard”, is especially relevant when humans learn new protective behaviors (i.e., dental flossing, IS security behaviors). The foundation that underlies many socialcognitive theories used in IS research is that intention to change predicts actual behavior change. Despite intentions to change, humans do not always change their habits due to actual or perceived obstacles, for example. In this study, user behavior, particularly with respect to vigilance over phishing attempts, was investigated via the theoretical lens of a hybrid continuum-stage behavior change model adapted from health-related fields. The goal of this research was to gain a better understanding of: a) whether there are distinct stages that distinguish end-users’ vigilance toward phishing attempts; b) if so, whether this research study can confirm three distinct stages; and, c) what characterizes these stages. This study profiled IS end users based on the model’s constructs (e.g., coping self-efficacy, intention, action/coping planning, and risk perception) that examined their protective behavior toward phishing attempts. In an exploratory analysis of survey data (n=394), stages of IS end users were determined via cluster analysis techniques (hierarchical followed by K-means). Next, an agglomerative hierarchical cluster analysis using within-groups method of average linkage and Euclidean distance measures was performed on the model’s constructs. Three clusters emerged as the optimal number to be used in the subsequent K-means cluster analysis. We compared the means of the model’s constructs to develop profiles for the three distinct clusters. Finally, implications for theory and practice are discussed.

Paper 7: Enhancing Password Security Through Interactive Fear Appeals

Anthony Vance, David Eargle, Kirk Ouimet

Passwords remain the dominant authentication mechanism for information security. Unfortunately, research has shown that most passwords are highly insecure. Given the risks of using weak passwords, there is a need to effectively motivate users to select strong passwords. In this study we examine the influence of interactivity, as well as static and interactive fear appeals, on motivating users to increase the strength of their passwords. We developed a field experiment involving the account registration process of a website in use in which we observed the strength of passwords chosen by users. Data were collected from 354 users in 65 countries. We found that while the interactive password strength meter and static fear appeal treatments were not effective, the interactive fear appeal treatment resulted in significantly stronger passwords. Our findings suggest that interactive fear appeals are a promising means of encouraging a range of secure behaviors in end users.

Paper 8: The Influence of Cultural Values on Information Security

Robert Crossler, Francis Andoh-Baidoo, Philip Menard

Recent attacks by hacker groups such as Anonymous and LulzSec have placed a spotlight on the seriousness of information security. These hacker groups work together in a loosely-knit social community to conduct high profile attacks against agencies that one would think are strongly secured. One avenue for these attacks is through the computers of individual users worldwide. An individual’s failure to properly secure their computer can result in it becoming a tool for hackers to use in a botnet for other attacks. Once a computer has been comprised and included as part of a bot-net, it can be used at the hackers’ whim to conduct attacks on other targets. The 2010/2011 Computer Security survey indicates, as in previous years, that malware was noted as the most common attack and that 61% of respondents reported having experienced a malware attack (Richardson 2011). Another surprising result is that for the first time the report did not include financial loss due to security attacks since few respondents were willing to share financial loss information. Hence security attacks are both critical and sensitive to organizations. One way individuals can protect their computer from becoming part of a bot-net is the use of antimalware software. Hence anti-malware software or “protective information technologies” is becoming very important in the global networked society (Dinev et al. 2009). Installing and regularly updating antimalware software provides protection from Trojan programs that, when installed, provide a back-door to hackers to take over the individual’s infected computer. Additional benefits that anti-malware software provides include protection against identity theft, privacy loss, data loss, and computer crashes.

Paper 9: Putting Privacy in its Place: A Review and Taxonomy of the Costs and Benefits of Location Disclosure Over Medical Devices

Samuel Thompson, Mark Keith, Clay Posey

Mobile devices provide Location-Based Services (LBS) that deliver real-time, personal location information to users and service providers with attendant privacy risks that are not yet fully understood. Existing research has implied that there is a privacy paradox where users claim to be concerned about their information privacy, yet are quite willing to disclose it for relatively small benefits. However, the limited research on location data has taken only a high-level view of the risks and benefits of disclosure. Therefore, this perceived paradox may simply be the result of a misunderstanding of all the factors involved in the disclosure decision. Using social exchange theory, we use an adapted Systematic Literature Review and a qualitative study conducted with a variety of user groups (IT executives, community groups, and students) to build a taxonomy of the costs and benefits considered when making location disclosure decisions. Results highlight (1) the role of privacy in information disclosure decisions relative to all other considerations and (2) that users focus on benefits while researchers focus on costs. This study identifies the particular costs and benefits end users consider when disclosing privacy related data. Using a social exchange theory lens, this research indicates that of the three identified categories of costs and benefits, the most significant costs considered by both users and researchers have been social costs, while the most significant benefits have been economic/utility benefits. It is the particular costs and benefits within these categories that differ markedly in their prioritization, based on the focus group and systematic literature review results. LBS providers can use these decision inputs as a guide when determining which features and benefits will maximize their offerings in the marketplace. The taxonomy should help researchers to better model and understand the exchanges users make regarding location data privacy.

Paper 10: Imbalance Challenges of Enacting Information Privacy Safeguards: A Grounded Theory Investigation in the Healthcare Context

Rachida Parks, Heng Xu, Cho-Hsien Chu

Healthcare organizations face significant challenges in designing and implementing the appropriate safeguards to mitigate information privacy threats. While many studies examined various technical and behavioral safeguards to protect the confidentiality and privacy of patient information, very little is known about the actual outcomes and implications of the privacy practices in which organizations engage. There is little research theoretically explaining the outcomes of enacting privacy safeguards and subsequent effects on privacy compliance. This paper reports the results of a grounded theory study investigating the intended consequences (positive impacts) and unintended (negative impacts) consequences of enacting privacy safeguards in healthcare organizations. An imbalance challenge occurs when the negative impacts outweigh the positive ones. To address the imbalance challenge, organizations need to achieve a balance between privacy and utility, meeting privacy requirements without impeding the workflow in medical practices. Findings are presented within an emerging theoretical framework of the imbalance challenge identified in this work. This study is one of the first systematic attempts to identify the opposing impacts of privacy safeguard enactments and examine its implications for privacy compliance in the healthcare domain.

Paper 11: Investigating Privacy Concerns in Medical Tourism Services

Chul Woo Yoo, Myung-Seong Yim, H.R. Rao

Several studies have dealt with factors that influence patient’s use of medical tourism (Heung et al. 2010; Smith et al. 2007). However, compared to other healthcare areas such as electronic health records and healthcare online communities, in the medical tourism field, the effect of privacy has not been researched. The privacy issue is considered very important in the healthcare industry (Damschroder et al. 2007). It becomes more important in medical tourism services because customers are not likely to believe that customer’s private information is well protected in foreign countries compared to her/his own country. In this study, we investigate the role of privacy concerns as a main factor that influences patient’s intention toward medical tourism services. For this paper we use “intention to spread positive information through word of mouth” and “intention to reuse medical tourism service” as the dependent variables. We adopt a perceived benefit and cost framework to explore patient’s decision making process in creating word of mouth and building intentions to reuse medical tourism services. A survey is created and a model is proposed for hypothesizing relationships among variables and empirical verification. Finally implications are discussed.

Paper 12: Vengeance is Mine: A Model of Emotional Appraisal and Computer Abuse

Jongwoo (Jonathan) Kim, Eunhee Park, Richard Baskerville

What factors drive individuals to abuse information systems? Better understanding of the roots behind this individual decision could provide opportunities to reduce computer abuse by reducing the presence of these factors. In this paper, we examine the effects of both organizational and personal factors on an individual’s computer abuse behavior. We develop our theoretical model based on abuse opportunity structure theory and literature on emotion theory. Specifically, we identify the organization abuse structure as an organizational factor and three personal factors (goal conduciveness, abuse positive affect, and morality) as personal factors. We investigate their effects on the assessments and decisions that individuals make about computer abuse. The results of a controlled laboratory experiment showed that the organization abuse structure affects these decisions through the assessment of goal conduciveness and abuse positive affect. Morality, however, was found to directly and indirectly affect an individual’s abuse intent. These results imply that security practices are subject to individual appraisals that raise emotions that are in turn conditioned by morality in specific ways. A technical evaluation of the practices is incomplete when absent of the individual appraisal.

Paper 13: Security Profiling in the Organization: Examining Employment Relationship Effects on Information Security

Scott Boss, John D’Arcy

Information system security research has found contradictory evidence regarding the effects on user behavior of various procedural and technical countermeasures, such as security policies; security education, training, and awareness (SETA) programs; and computer monitoring. An implicit assumption in much of this work is that all employees tend to react to security countermeasures in a fairly consistent manner. We test this assertion by assessing the influence of security countermeasures on employees who differ in job satisfaction and burnout. We find that mandatoriness has much less effect on unhappy employees than on others, while SETA programs are equally effective for all employees. Our results have important implications for security management.

Paper 14: What Motivates Hackers? Insights from Self-Determination Theory

Justin Giboney, Alexandra Durcikova

In 2011 there were at least 174 million electronic records compromised over 855 incidents (Verizon, 2012). Of these incidents, 61% of the data theft and 21% of incidents in large organizations were done by an activist group (i.e., hacktivism) (Verizon, 2012). Hacktivism has already changed the world, from shutting down the Sony PlayStation network to instigating revolts in the Arab Spring. Because of the immensity of this problem, researchers have insisted that we need to understand hackers (Mahmood, Siponen, Straub, Rao, & Raghu, 2010). To better understand hacktivists, we will dive into what motivates and drives someone to participate in hacktivist activities. We utilize Self-Determination Theory (SDT) to help explain the differences and similarities of the motivations of hacking-related activities. SDT posits that the type and quality of a motivation is more important that the amount of motivation (Deci & Ryan, 2008a, 2008b) and that the type of motivation lies on a continuum between controlled and self-determined behavior (Deci et al., 1991). Through a literature review, we have identified a series of motivations that are suggested to motivate hackers and activists. Our intention is to use SDT to guide a rigorous analysis of these motivations and to use a policy-capturing methodology (Karren & Barringer, 2002) to better understand why someone would engage in hacktivist activities. Our goal is to bring us closer to a theory of hacktivism motivations, because currently there are only a series of taxonomies and classifications. These taxonomies will provide the grounds for theory building. We will start by narrowing down the motivations provided by the taxonomies and bring SDT into this technology-enabled environment.

Paper 15: Why Do Smart Kids Become Computer Hackers? An Exploratory Case Study

Qing Hu, Zhengchuan Xu, Chenghang Zhang

Computer hacking committed by young and talented high school and college students poses not only significant threats to the information security of organizations, but also creates significant social issues to the society. Reducing computer hacking by young people requires understanding of how and why these young and talented individuals become computer hackers. In this study, we conducted an exploratory case study by interviewing six known computer hackers. Our findings suggest that there are common patterns in the evolutionary paths of these individuals, and significant damages to individuals, organization, and societies can materialize if proper intervention programs are not developed and implemented at colleges and high schools. Fortunately, this evolutionary process from talents to hacker is adaptive and malleable and appropriate interventions throughout the process could be effective to alter its course. An adaptive cognition and action theory (ACAT) about how and why smart kids become computer hackers is developed based on the case evidence and the extant literature. Theoretical and practical implications of these findings are discussed.

Paper 16: On Cognitive Fit, Improvisation, and Security Incident Response Management

Kennedy Njenga, Irwin Brown

The leading information security management concern within South African organisations currently stems from the level of security incidents reported that compromise organisational data. The paper introduces Cognitive Fit Theory as a theoretical lens useful towards understanding how information security practitioners use Intrusion Detection Systems (IDS) to comprehend security incidents. The argument presented is that turbulent scenarios such as zero-day-attacks causes erratic spatial and symbolic problem representation by IDS. The IDS generates spatial and symbolic data whose interpretation and performance for incident mitigation is dependent upon the cognitive style of an information security practitioner. It is argued that depending on the degree of cognitive style that stems from problem representation, an information security practitioner may adopt an improvisational problem-solving performance. The outcome of the paper is the development of a theoretical model that presents improvisation as a moderating component of Cognitive Fit, useful to practitioners who manage security incidents. From qualitative data analysis, empirical work from a single case study confirms the importance of improvisation in security incident management.

Paper 17: The Role of Habit in Information Security Behaviors

Kalana Malimage, Merrill Warkentin, Robert Crossler

Information security risks have multiplied with the information explosion that has been experienced globally, especially in the last decade with more users having ubiquitous access to computers and the internet. Organizations continue to struggle protecting their information systems daily from various threats and spend billions of dollars to build defenses to counter these threats. Some of these threats include natural and manmade disasters, errors by internal employees, acts of competitors with malicious intent, hackers, spyware and viruses (Loch et al. 1992; Willison and Warkentin 2012). Non-malicious behavior or “human error” is known to be the reason for the majority of policy violations and security incidents at organizations (Plamondon 2011). Organizations have increased their efforts to curtail these non-malicious employee behaviors through measures such as information security training and behavioral shaping (e.g., creating repetitive and automatically triggered security practices). It is important to understand that most of these non-malicious behaviors performed by employees may be a part of their work routine, performed frequently and automatically. According to social psychology research, when a certain behavior is goal-oriented and performed frequently and automatically, it is defined as a ‘habitual’ behavior (Verplanken and Orbell 2003). For example, even though the organizational policy states otherwise, an employee may continuously fail to lock the computer when leaving it unattended due to negligence. The employee does not fail to lock the computer because of any malicious intent, thus it is non-malicious, but continuously failing to lock the computer (automatically) may be a habitual non-compliant behavior. On a similar note, an employee may frequently and automatically lock the computer every time he/she leaves the terminal unattended, which exhibits a habitually compliant behavior. Extant research on information security focuses more on behavioral intention and behavior and has ignored the influence of habit on security related behaviors.

Paper 18: Don’t Make Excuses: Framing Security Training to Reduce Intentions to Violate IT Security Policies

Jordan Barlow, Merrill Warkentin, Dustin Ormond, Allen R. Dennis

Past research on IT security training has focused on informing employees about security policies and formal sanctions for violating those policies. However, recent research suggests that deterrent sanctions may not be the most powerful influencer of employee violations. Often, employees use rationalizations, termed neutralization techniques, to overcome the effects of deterrence when deciding whether or not to violate a policy. While both deterrence and neutralization techniques affect employees’ intentions to violate IT security policies, we theorize that proper training, focused on mitigating neutralization rather than deterrent sanctions, can reduce these intentions. Because neutralization techniques are stronger than sanctions in predicting employee behavior, such training could be useful in combatting intentions to violate security policies. Additionally, using framing theory, we predict that negatively-framed training will be more persuasive. We test our hypotheses in a pilot study using the factorial survey method. Preliminary results are presented.

Paper 19: Understanding Management Perspectives on Insider Threats and the Possible Approaches to Mitigate These

Michelle Barnett, Kosheek Sewchurran, Jacques Ophoff

Insider threat refers to legitimate users who misuse their privileges, and insider threat management is the approach used by information security professionals to mitigate this threat. Although much discussion and thinking on the subject of insider threat has occurred, there is little understanding of the nature of this threat. Information security practitioners, although largely aware of the actions that promote mitigation of information security risk, fail to address insider threat successfully. A soft systems methodology research approach is used to gain understanding of the perspectives held by information security practitioners with reference to insider threat, as well as to explore the factors which influence these perspectives. A major finding of this study is that the ethics and moral values of the organisation have a strong influence on the prevalence of insider threat. Furthermore, unethical behaviour by senior and executive management influences the organisations ability to mitigate insider crime. The study also found that although organisations do not believe that employee social welfare is an organisational responsibility, such programmes not only increase loyalty, but actively contribute to reduced levels of insider crime. The study also established that insider threat is best dealt with when proactive and reactive approaches are combined into a holistic approach. This study contributes to the understanding of insider crime, within the context of the diversity of social values and understandings found in South Africa. The outcomes of the study have taken the form of theoretical contributions to the body of knowledge, but also provide practical operational methods, thus satisfying the dual imperatives and purpose of the action research stance adopted.

Paper 20: Neural Correlates of Gender Differences in Distinguishing Malware Warnings and Legitimate Websites: A NeuroIS Study

Bonnie Anderson, Anthony Vance, James Hansen, Brock Kirwan, David Eargle, Lee J. Hinkle, Arthur Weagel

Despite being a problem for more than two decades, malicious software (or malware) remains a serious threat to the information security of organizations. Increasingly, attackers target the computers of end users to gain a beachhead from which the network of a user’s organization can be surveilled and exploited. Given the growing threat of malware to end users and their organizations, there is a need to understand how malware warnings can be made more effective to alert end users of potential threats. We address this need by performing a NeuroIS study to examine whether men and women process malware warnings in the brain. We conducted a laboratory study that employed electroencephalography (EEG), a proven method to neural activity in temporally sensitive tasks. We found that the amplitude of the P300, an ERP component indicative of decision making ability, was higher for all participants when viewing malware warning screenshots relative to legitimate website shots. Additionally, we found that the P300 was greater for women than for men, indicating that women exhibit higher brain activity overall when viewing malware warnings. Our results demonstrate the value of applying NeuroIS methods to the domain of information security and point to the several promising avenues for future research.

Paper 21: Latent Curve Modeling for Factorial Survey Designs

Robert Otondo, Robert Crossler, Merrill Warkentin