The 2013 Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.11/WG11.13

Program chairs: Tejaswini Herath, Qing Hu, Clay Posey

Conference Proceedings

Proceedings Editor: Anthony Vance

Download all papers here.

Paper 1: Conceptualizing Employee Compliance and Noncompliance in Information Security Research: A Review and Research Agenda

Jeffrey D. Wall, Lakshmi Iyer, A.F. Salam, Mikko Siponen

This paper examines a particular problem in security research, namely the lack of clear conceptualizations of employee compliance and noncompliance in organizational settings. More than half of the studies reviewed in this paper failed to offer even a simple definition of the dependent variable. This review finds that definitions of compliance and noncompliance are taken-for-granted, which may limit the contribution of individual papers and the progress of the entire behavioral information security discipline. Through open and axial coding of existing security studies, this paper identifies 3 important dimensions of compliance and 4 dimensions of noncompliance. Further, using the concept of disciplined imagination, this paper identifies 6 types of compliance and 10 types of noncompliance based on combinations of the dimensions of compliance and noncompliance extracted from the literature. This paper provides important research questions related to each type of compliance and noncompliance that should be explored in future research. Additionally, this paper provides alternative conceptualizations of compliance and noncompliance that do not follow the static conceptualizations commonly studied in the security studies. This paper offers another call for researchers to carefully consider the definitions and conceptualizations of key constructs before conducting research.

Paper 2: Can Relationship Conflict Damage an Organization's Information Security?

Ammar Nurbhai, Jingguo Wang, Nicolette P. Lopez

In this research-in-progress, we propose to investigate the relation between relationship conflict and information security policy noncompliance, and how this relationship may be changed by organizational justices. Drawing upon literature from management, psychology, and IS, we develop the hypotheses. We hope the research can provide more insights to insider threat behavior for both academic research and practical programs.

Paper 3: United We Stand: Toward The Development Of An Enterprise Cybersecurity Efficacy Theory

Allen C. Johnston, Paul Di Gangi, James Worrell, Jack Howard

An organizational_level analysis of enterprise cybersecurity efficacy has yet to be examined. The purpose of this study is to expand research into the organizational level of analysis and develop a theory of enterprise cybersecurity efficacy. This theory is driven by an understanding of Social Disorganization Theory which examines criminal behavior in geographically_bound neighborhoods. Using a multi_case study design and thematic analysis approach to theory development, this study develops the boundaries of enterprise cybersecurity efficacy theory and outlines its expected implications to both research and practice.

Paper 4: One Size Does Not Fit All: Different Cultures Require Different Information Systems Security Interventions

Mari Karjalainen, Mikko Siponen, Petri Puhakainen, Suprateek Sarker

Employees' non-compliance with information systems (IS) security policies is a key concern for organizations. Previous studies have proposed different explanations for employees' behavior, and different approached to change employees' behavior, such as the use of sanctions and monitoring, fear appeal and training, which represent different paradigms of learning. While non-compliance with IS security policies seems to be a global issue, previous works do not test the validity of their models or methods across different cultural settings. Based on interviews in four countries, we argue that while information security behaviors are learned, different paradigms of learning are effective in different cultures; i.e., different cultures require different IS security interventions. What is even more important is that by providing non-preferred IS security interventions (e.g., monitoring/sanctions in Switzerland) were negative for improving information security. This study has implications for IS security research, editors, and practitioners. For scholars, we urge them to not only validate, but also test their models in different countries. The implication for editors is to consider if their reviewing policy accept papers that also show the limits of their theories (not positive results) in some countries. From a managerial perspective, our findings suggest that different cultures require different IS security interventions.

Paper 5: Improving End-User Security through SETA Programs: An Action Research Approach

Alexandra Durcikova, Jeffrey L. Jenkins

Employees are often identified as the weakest link of security because a single instance of non- compliance is enough to jeopardize the security of the whole organization. To increase awareness and compliance with security policies, organizations commonly implement security education, training, and awareness (SETA) programs that may consist of multiple components (e.g., training sessions, reminders, exercises, face-to-face discussions, etc.). This research-in-progress paper offers a longitudinal examination of how selected components of SETA programs and associated learning theories influence compliance with security policies. Without this longitudinal understanding, organizations may have limited guidance of what combination of SETA components to implement, and when. We describe an action research approach to address this need and present the diagnosing and action planning stages of a longitudinal study conducted at a small company (120+ employees). The action planning is informed by theory on end-user security training. The findings of this study have the potential to offer new insights into not only short-term, but also long-term effectiveness of different components of SETA programs and learning theories.

Paper 6: What's in it for me? A Stakeholder Theory perspective on Information Technology Security Investment

Mari Karjalainen, Mikko Siponen, Rajiv Kohli, Xiuyan Shao

Information Technology (IT) security is of increasing importance to organizational success. The decision to implement IT security solutions is subjected to scrutiny, just like other IT investment decisions. Past research established investment evaluation tools that managers can use for estimating an optimal level of information technology security investment (ITSI) or conduct efficiency driven evaluation, such as return on investment (ROI) in order to determine whether to make the investment. However, the previous studies view ITSI as a rational calculation problem solved through appropriate mathematical tools. While the previous research provides important tools for decision-makers, we suggest that an organization's ITSI decision is more than a calculation problem. It is also an empirical riddle of finding out 1) who are the stakeholders whose support is necessary for an ITSI decision's acceptance, and 2) what their expect from an ITSI. These important issues are unaddressed questions in ITSI research. To complement the existing ITSI research, our research seeks to identify the core considerations of different organizational stakeholders' that influence ITSI decision-making that is missing in the previous studies. Through in-depth case studies of four organizations that evaluated ITSI involving secure email and interviews with key participants in the ITSI decision-making, we find that ITSI involves more than finding an optimal investment level or justifiable ROI. We find that ITSI decisions are mainly driven by the support of three key stakeholder constituencies -- end users, information security specialists, and organizational decision-makers. They support ITSI only when their values are satisfied. Our interviews revealed that end users support ITSI if it adds minimal additional effort, require no new technical skills, and strongly connected to their work-related tasks. Although information security specialists value the technical quality of the ITSI, we find that they seek tradeoffs between users' values and technical quality. Decision makers value ITSI organizational fit, the usability for the organization, and accumulating political capital. We contribute to IS theory by building upon Stakeholder theory to explain approval/rejection of ITSI as influenced by stakeholders' values. Our findings call for a revised paradigm in IS research that views ITSI as not only providing optimal level of ITSI and ROI justification but also satisfying the social, political, and emotional needs of the key stakeholder constituencies.

Paper 7: Using the COBIT Maturity Model Rubrics to Evaluate Information Security: An Exploratory Study

Paul John Steinbart, Robyn L. Rashcke, Graham Gal, William Dilla

Measures of information security activities and overall effectiveness are not readily available to researchers. Consequently, researchers often rely upon self-reported qualitative measures. However, this approach raises issues concerning both the scope and the reliability of data collected. This study avoids such concerns by using rich, holistic scales (the COBIT 4.1 Maturity Model rubrics) created by a professional organization. Our results suggest that the COBIT 4.1 Maturity Model rubrics may be a useful tool for information security researchers. We show that the COBIT rubric scores reliably predict both subjective (i.e., an overall grade) and objective (security incidents) measures of information security effectiveness.

Paper 8: Monitoring Measures and Data Breaches in Online Banking

Rajarshi Chakraborty, H. Raghav Rao, Sharmistha Bagchi-Sen, Shambhu Upadhyaya

Data breaches through hacking incidents have become a significant phenomenon in the world of online retail banking. These breaches can drain a treasure trove of personal data belonging the customers. While banks are getting better in quickly resolving these issues, such incidents can serve as a reminder to customers to be proactive about their security, especially if they are locked into and also trust the services of the bank in general. This exploratory study examines two mechanisms of such proactive practices -- purchasing credit monitoring services and practicing extra caution by monitoring the online banking activities regularly. Using Partial Least Square regression, we show support for some of our hypotheses using survey-based data from a student population. The implication of this research lies in helping banks and credit-monitoring services prepare better plans for informing customers about data breaches and other hacking incidents.

Paper 9: A Review and Typology of Security-Related Corruption Controls: Setting an Agenda for Studying the Behavioral Effects of Security Countermeasures

Jeffrey D. Wall, Prashant Palvia, John D'Arcy

Minimizing information security policy violations and computer abuse committed by organizational insiders is an important organizational concern. Organizations implement a variety of security controls to combat insiders' abusive behaviors. Although research on insiders' security behaviors has become an important information systems (IS) issue for both researchers and practitioners, research on security behaviors is in a nascent state. On this point, many theories have been used to study security behavior, but very little structure exists relating to the nature of and interaction between security controls. Further, the behavioral catalyzing characteristics of different security controls are not known. Similarly, questions about the appropriate combination of security controls that should exist in organizations are not well addressed. In order to provide clarity and structure to the study of insider abuses, this paper provides a cross-disciplinary review of organizational controls. Based on the review, we develop a typology of security-related corruption controls that identifies 12 types of controls and 3 high level control systems. Our review and typology provide several important insights for future research and for the development and implementation of security controls in organizations.

Paper 10: What Motivates Hackers? Insights from the Awareness Motivation-Capability Framework and the General Theory of Crime

Justin Scott Giboney, Alexandra Durcikova, Robert Zmud

In 2011 there were at least 174 million electronic records compromised over 855 incidents. Of these incidents, 61% of the data theft and 21% of incidents in large organizations were done by an activist group whose actions are referred to as hacktivism. Hacktivism has already made significant impact all around the world, from shutting down the Sony PlayStation network to instigating revolts in the Arab Spring. Because of the immensity of this problem, researchers have insisted that we need to investigate the behavior of hackers to better understand what drives this behavior. We utilize the Awareness-Motivation-Capability (AMC) framework and the general theory of crime to help explain the differences and similarities of the motivations of hacking-related activities from those of hackers and activists. Data collected in seven prior experiments helped us to refine the instrument used here in testing our proposed model that builds on these two theories. Our findings clearly show the existence of differences in the influences of aspects of motivation and in the influences of capability and self-control with regard to digital activists, hacktivists, and illegal hacking activities. Implications for research and direction for future research are discussed.

Paper 11: Value-Focused Assessment of Information Privacy versus Utility in the Healthcare Environment

Rachida F. Parks, Rolf T. Wigand

This study examines the relatively unexplored area of simultaneously responding to privacy threats while not hindering business operations, suggesting a symbiotic relationship between these two focal and interdependent efforts. A qualitative investigation using a value-focused thinking approach is pursued. Using the notion of ascribing healthcare executives' values to managing privacy threats in healthcare, we develop a value-driven framework providing a useful and comprehensive list of values that are grouped into seven fundamental and sixteen means objectives. While previous research investigated privacy threats as well as their countermeasures, it falls short of proposing a framework striving to achieve a balance between information privacy and utility. Accordingly, the present research overcomes this limitation by offering a conceptual foundation for future research and providing practitioners with guidelines to balance information privacy and utility while not hindering business operations.

Paper 12: Developing scales to measure constructs for a privacy calculus and information privacy behaviors specific to social computing technologies

Tabitha L. James, Stephane E. Collignon, and Merrill Warkentin

In this study, we explore the scale development for constructs representing the privacy calculus specifically applied to the tradeoff presented by social computing technologies (SCTs) (e.g. Facebook, Google+, etc.). Using Laufer and Wolfe's concept of an interpersonal privacy dimension that is formed by the need to manage both information disclosure and interaction with others, we refine constructs to measure desire for control over one's information disclosure and interaction management. Those two constructs form an operationalized version of the interpersonal privacy dimension, which we refer to as the Interpersonal Privacy Identity (IPI). The privacy calculus, also suggested by Laufer and Wolfe, can be used to explore the tradeoff between the IPI (the cost) and the desire to obtain something (the benefit), which requires one to relinquish some degree of privacy. We suggest that SCTs offer two capabilities that entice people to use the site but which require an individual to release information or interact with others in a way that may be considered to impact an individual's privacy: (1) the ability to socialize with others and (2) the ability to present a virtual representation of oneself to others. Hence, we develop measures for constructs to examine the privacy-overriding strength of these two desired capabilities. Furthermore, we examine the types of information people release on SCTs and explore the possible scopes of the release. We use these findings to develop a set of items to explore the relationship privacy boundaries that can be implemented on a SCT platform on different types of information.

Paper 13: I'm Safer than You: The Role of Optimism Bias in Personal IT Risk Assessments

Merrill Warkentin, Zhengchuan Xu, Leigh A. Mutchler

Psychologists have long known that individuals routinely overestimate their abilities and underestimate the risk they face, when compared to others. This dispositional "optimism bias" varies from one individual to another, and may impact the situational optimism bias that individuals each exhibit in various contexts. Most existing InfoSec research is predicated on a presumption of rational cognitive appraisal of the security threats we all face and our ability to cope with such threats, but this source of bias may be a significant factor that influences one's assessment of the threats to one's information assets and on one's ability to address such risks. We seek to explore this important factor and determine the relative degree to which dispositional and situational optimism biases affect one's risk perceptions in the context of responding to information security threats and recommended responses. As an initial investigation, we explore the literature and establish the use of several measures that we may use in a future longitudinal research project in which various treatments (e.g. informational messages, persuasive messages, news events, fear appeals) may be administered to determine the relative impact of such organizational measures (part of SETA programs) on individual employees, specifically those with higher levels of (measurable) dispositional optimism bias. Following our validity testing of several measures, we describe a longitudinal research program to pursue, which will enable us to explore this phenomenon in depth. This will also allow us to begin to understand the process by which IT users may be influenced by their environment to attenuate their natural optimism bias and perceive threat and coping levels more aligned with those that are expressed in the messages.

Paper 14: A Longitudinal Field Study of Authentication Credential Efficacy over Mobile Devices

Mark Keith, Jeffry Babb, Paul Steinbart

Mobile devices (e.g., phones, tablets, etc.) are being increasingly used to access organizational systems. This practice adds both new benefits and risks. One form of this new risk is the uniqueness of password, or "what you know", based system authentication. The purpose of this study is to explore how password-based authentication over mobile devices differs from traditional keyboards (i.e., desktops and laptops, not keyboard based mobile devices) in terms of login success rate, memory login failures, and typographical login failures. We employed an authentic, longitudinal field experiment in which participants were randomly encouraged to generate passwords versus passphrases. We discovered that when the same user employs the same credential over both mobile and keyboard devices, they exhibit significantly fewer memory failures over mobile devices. In addition, the negative usability effects of passphrases are entirely mitigated when authenticating over a mobile device. Implications from these findings are discussed.

Paper 15: Mobile Information Privacy Protection Practices

Robert E. Crossler, France Belanger

Information privacy is a growing concern in society with the increased use of the Internet and online resources. As the number of individuals connect to the online world via mobile devices is escalating, there are potentially even more concerns for information privacy. To explore and begin to address these potential issues, this research focuses on information privacy practices on mobile devices, focusing particularly on technologically able but privacy unaware users. Indeed, our prior research indicates that most users are unaware of the privacy settings on their mobile devices but once made aware, they desire to remove the location tracking settings set by default and correct other privacy settings. Furthermore, the use of "apps" in mobile devices provides opportunities for others to create information gathering tools hidden from users who download such apps. Therefore, adding the risks of information gathering apps and location-based services tracking to the existing problem of websites collecting information from users creates a potential information privacy black hole. In this research, we test a theoretical model of user's actual mobile information privacy protection practices. The research is conducted in several phases, and we report in this research-in-progress paper results from the first two phases of the research: the exploratory study and the pilot test.

Paper 16: The Information Security Risk Estimation Engine: A Tool for Possibility Based Risk Assessment

Richard Baskerville, Jongwoo Kim, Carl Stucke, Robert Sainsbury

Risk analysis methods help evaluate the costs of information security controls in relation to their benefits. Despite dramatic changes in the constellation of information security risks, the basic approach to these risk calculation methods remains unchanged. The fundamental mathematics underlying these methods is anchored to probability theory. Probability has the advantage of being widely known and conceptually simple. But it has a disadvantage in its grounding on expert estimates of frequency data because such data is often publicly unavailable. This paper proposes the use of possibility theory as an alternative grounding for information security risk calculations. Possibility theory assumes the data grounding will be estimations. The estimations include expert evaluations of both possibility and likelihood of risks. Using a design science research approach, we use possibility theory as the kernel theory in developing and evaluating a practical possibility-based risk estimation prototype. The results offer an expanded grounding to improve information security risk analysis through the use of a broader portfolio of distinct methodologies anchored to alternative mathematical theories of evidence.

Paper 17: A Socio-Technical Framework for Threat Modeling A Software Supply Chain

Xueqin Wang, Bilal Al Sabbagh, Stewart Kowalski

In this paper we suggest a possible threat modeling approach for software supply chain. A Socio-technical approach is discussed and applied for modeling software supply chain security based on a case study of Swedish armed forces (SWAF). First we review current practices and theories for threat modeling of software supply chain. Then we suggest the application of a socio-technical framework for studying software supply chain security problem from a systemic viewpoint. Afterward we propose a step-by-step approach for threat modeling including modeling the target system, identifying threats and analyzing countermeasures. We also present a Delphi groups validation of the socio-technical framework.

Paper 18: Your Memory is Working Against You: How Eye Tracking and Memory Explain Susceptibility to Phishing

Bonnie Brinton Anderson, Anthony Vance, David Eargle, and C. Brock Kirwan

Phishing has become a major attack vector for hackers and cost victims $687 million in the first half of 2012 alone. Additionally, despite technical solutions to defend against this threat, reports show that phishing attacks are increasing. There is therefore a pressing need to understand why users continue to fall victim to phishing, and how such attacks can be prevented. In this research-in-progress paper, we argue that the cognitive neuroscience of memory provides a useful lens through which to study the problem of phishing. A commonly reported finding from the field of memory is the eye movement-based memory effect, the phenomenon of people paying less visual attention to images that have been previously viewed. We aim to show in this paper that this effect holds in the context of email processing, and that the eye movement- based memory effect is a significant contributing factor to users' susceptibility to phishing. We propose an experimental design that uses a memory task involving simulated phishing emails, and measures users' behavioral responses and eye tracking data in response to our phishing manipulations. We further propose to show how training can be designed to help users overcome the eye movement-based memory effect and become less prone to phishing attacks.