The 2015 Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.11/WG11.13

Program chairs: Bonnie Brinton Anderson, Mark Keith, Anthony Vance

Conference Proceedings

Proceedings Editor: Anthony Vance

Download all papers here.

Paper 1: Generally Speaking, Context Matters: Making the Case for Increased Emphasis on Specific Security Threat Contexts in Security Behavior Research

Salvatore Aurigemma, Raymond Panko

A significant portion of the literature in the behavioral security compliance field focuses on theoretical models built and tested around general security behaviors and intentions in multiple organizations without confirmation of the presence or contents of supporting information security policies. Results of our analysis of data from employees at several United States Department of Defense sub-organizations provides support to our expectation that models of general security behaviors fail to best represent the significance and importance of various behavioral factors affecting employee intentions to comply with security policies focused on specific security threats. Our findings also indicate that the relative amount of social interaction (enforcement expectation on others) required by specific security policy-directed actions affects compliance intention through an employee's perceived behavioral control over executing the required behaviors.

Paper 2: What Shapes Information Systems Misuse Intention? The Hidden Role of Leadership Style and Perceived Organizational Justice

Anat Zeelim-Hovav

We introduce and validate a model that examines the relationships between perceived organizational justice, perceived leadership style, organizational citizenry behavior and misuse intention. We hypothesize that perceived ethical and participatory leadership will increase organizational citizenry behavior (obedience and loyalty) and subsequently reduce misuse intention, while perceived informational and procedural organizational injustice will increase misuse intentions. We suggest that the existence of sanctions will moderate the relationships between perceived leadership and misuse. The relationship between perceived organizational injustice and misuse intentions are moderated by organizational security awareness. In addition, the severity of the behavior has a moderating influence on the relations between perceived organizational injustice and misuse intentions. We used a scenario based survey to empirically test the hypotheses. Our results show that the effect of leadership, injustice and citizenry on misuse intention varies by the type of behavior involved.

Paper 3: A Cross-Nation Study: Information Security Policy Compliance in the Banking Industry

Hwee-Joo Kam, Pairin Katerattanakul, Soo-Goo Hong

This is a study-in-progress that examines the differences in perceived security norms in the banking industry between the United States and South Korea. Drawing on Competing Value Framework (CVF), Neo-Institutional Theory (NIT), and Hofstede's Cultural Framework, this study proposes an integrated theoretical framework to assess the impact of national culture, organizational culture, industry and individual attributes on perceived security norms among the banking employees. In general, this study intends to contribute (1) a theoretical framework encompassing national and industry and (2) practical implications for adopting IT governance framework and security practices in multiple cultural settings.

Paper 4: Analyzing the Value of an Information Disclosure

Joey Buckman, Jesse Bockstedt, Matthew Hashim

We investigate the value people place on the disclosure of personal information given certain aspects of the disclosure and the individual's privacy concerns. We use a willingness-to- accept approach in two randomized experiments to capture a participant's valuation. In our experiments, we manipulate the disclosure by altering the type of information requested, the receiver's secondary use of the information, and the inclusion of identifying information. We also measure Internet privacy concerns in a post experiment survey. We find that the information type and an individual's privacy concerns significantly influence the value of a disclosure. Neither secondary use nor identifying information affect the valuation. These results provide a unique perspective on privacy valuations and fill a gap in the literature by identifying factors influencing the value of a disclosure.

Paper 5: Privacy Rights Attitude about Individuals, Companies, and Governments: A Theoretical Perspective

Justin Giboney, David Wilson, Alexandra Durcikova

This paper develops and tests a theoretical model to help answer the following question, what influences an individual's perceptions regarding the right to privacy of others (individuals, organizations, and governments)? This question is particularly relevant for organizations and governments, for whom insider threats to corporate or government privacy present a dangerous risk. We draw from two bases of literature (privacy and human rights) to theorize several constructs that should account for privacy rights attitude about others. In addition, we differentiate between privacy rights attitude toward individual, company, and government, justify different origins of these entity types' right to privacy, and propose different effects on these entity types from privacy awareness, privacy experiences, technical ability, past privacy invasions, power distance, and individualism/collectivism. We test our hypotheses using two studies using vignettes. The model presented here is the first of its kind in the IS literature, and lays the groundwork for future contributions in academic research and greater understanding relevant to practitioners.

Paper 6: Research Design for Study of Cultural and Societal Influence on Online Privacy Behavior

Ersin Dincelli, Sanjay Goel

Voluntary disclosure of personal information on social media coupled with broad access to this information makes social media a privacy challenge. Most users are aware of the risks, however, many users continue to voluntarily disclose their information via social media; there is a stark contrast regarding these issues among users. Several factors influence user security behavior, including, level of education, computer literacy, gender, culture etc. This study is focused on determining whether the users' cultural orientation impacts their privacy behavior on online social networks (OSNs). It is important to understand these cultural differences as we address some of the security and privacy challenges. Studies on behavioral security in the past have been conducted within a specific culture. There are few studies that examine the cross-cultural impact on privacy behavior. This study aims to address this gap in the literature. We will collect data from OSN users from two different countries that possess divergent social norms and values. Specifically, we focus on users from the United States, Turkey and Turkish emigrants who live in the United States and analyze the differences in behavior patterns among the groups. The paper makes a theoretic contribution to the literature by coupling the theory of planned behavior with the Individualism-Collectivism scale to measure the impact of users' cultural orientation in context of their privacy of their information on OSNs. A survey instrument based on this model was created and data was collected from American users; data from Turkish users (and immigrants to the US) will be collected subsequently. We expect that culture influences how individuals share information and expose themselves in social media.

Paper 7: Examining Gamification as a Driver of Individual Information Security Behavior

Jacques Ophoff, Mikhail Janowski

Information is one of the most important assets an organization owns. With the exponential increase in computing power and connectivity between computers the prevalence of cyber- attacks and information theft is increasing. Thus information security is a growing concern for management and IT professionals. Human behavior is one of the biggest challenges faced by information security professionals. The objective of this study is to investigate ways to improve individual information security behavior in a fun and unobtrusive manner using gamification. The research question this study asks is whether gamification can be used to effectively motivate users to choose stronger passwords. This question is complemented by investigating which game elements are most effective and what other factors influence password strength. An online experimental research design was used. The experiment consisted of four groups, one of which received no feedback, a baseline control group, and testing two game elements: badges and leaderboards. The participants were asked to complete a simulated sign-up form and their password strength was measured using NIST guidelines for estimating password strength. The experiment was completed by 581 participants. A statistical analysis of the data found that there was a significant difference between the mean password strength of the group without feedback and the three other groups. This suggests that gamification can be used to motivate users to choose stronger passwords. This research is significant as it opens new directions for information security research, based on behavioral and cognitive approaches.

Paper 8: Warning! A Comprehensive Model of the Effects of Digital Information Security Warning Messages

Mario Silic, Jordan Barlow, Dustin Ormond

We investigate the value people place on the disclosure of personal information given certain aspects of the disclosure and the individual's privacy concerns. We use a willingness-to-accept approach in two randomized experiments to capture a participant's valuation. In our experiments, we manipulate the disclosure by altering the type of information requested, the receiver's secondary use of the information, and the inclusion of identifying information. We also measure Internet privacy concerns in a post experiment survey. We find that the information type and an individual's privacy concerns significantly influence the value of a disclosure. Neither secondary use nor identifying information affect the valuation. These results provide a unique perspective on privacy valuations and fill a gap in the literature by identifying factors influencing the value of a disclosure.

Paper 9: A Theory of Reconfigurative/Emergent Security

Richard Baskerville, Mala Kaul

Generally, Information Systems security is implemented through restrictive and well-formed security controls that result in predictable performance of the system. However, the complex and fast-changing technological environment requires alternate approaches to managing security. This research presents a bindpoint design theory to support the design of secure information systems in complex socio-technical environments. An empirical evaluation of the theory is conducted in the specific context of security problems arising from BYOD (Bring your own Device). The bindpoint design theory conceptualizes the interaction between an individual's Information System with that of an organization's, as a bindpoint that creates a completely new context of security requirements. The evaluation results in the refinement of the bindpoint design theory and in the development of design principles. The design principles are further elaborated to develop a set of design rules. Finally, implications of the theory for practical application and further research are discussed.

Paper 10: Integrating Facial Threat Signals into Security Messages: An Extension of Media Naturalness Theory to an Information Security Context

Dave Eargle, Dennis Galletta, Brock Kirwan, Tony Vance

At IFIP 2014, Eargle, Galletta, and Siegle (2014) drew on findings from neuroscience to theorize that fearful facial expressions would bolster users' threat processing when exposed to such a security message. They proposed a functional magnetic resonance imaging (fMRI) study and a field study to examine the impact of integrating fearful human facial expressions into security messages. They predicted that integrated facial expressions of emotion have potential to mitigate habitual user dismissal of security messages -- users would be prompted to more carefully consider their choice when interacting with a security message.

This write-up reports on progress made since the Eargle et al. (2014) proposal. Since last IFIP, we updated our hypotheses and finalized the experimental design for the MRI study. Data was collected at Brigham Young University in May 2015 using 23 participants. Analyses for the fMRI data will be presented at IFIP 2015. Feedback from the working group community members will be solicited as to how to best frame the MRI analysis for the IS community, and how to best design the field study to corroborate the MRI design.

Paper 11: More Harm Than Good? How Security Messages That Interrupt Make Us Vulnerable

Bonnie Anderson, Tony Vance, Jeff Jenkins, Brock Kirwan, Dave Eargle

We examine how security behavior is affected by dual-task interference (DTI), a cognitive limitation in which even simple tasks cannot be simultaneously performed without significant performance loss. We find that security messages that interrupt users actually make users more vulnerable by increasing security message disregard behaving against the recommended course of action of a security message. We study the previously unexamined effect of DTI on a secondary, interrupting task a security message. In a security context, it is critical that this interruption be carefully heeded. We use functional magnetic resonance imaging (fMRI) to explore (1) how DTI occurs in the brain in response to interruptive security messages and (2) how DTI influences security message disregard. We show that neural activation in the medial temporal lobe (MTL) a brain region associated with declarative memory is substantially reduced under a condition of high DTI, which in turn significantly predicts security message disregard.

Paper 12: Change Your Password—A Mixed Method Study on How to Persuade Information Systems Users to Change Their Passwords

Nan Zhang, Yixin Zhang, Mikko Siponen, Mari Karjalainen

Password is the most commonly adopted authentication method, and the number of passwords has been increasing with the proliferation of various information systems. Passwords should be complex, unique and meaningless so that they cannot be cracked technically. Passwords should also be changed from time to time to maintain the security level. Changing password can be technically enforced, but the compulsory action usually leads to complications such as user resistances that may undermine the whole password change process. Therefore, organizations try to find ways in which the users take more responsibility of changing the password, i.e. the password change is voluntary, through request or persuasion, but not technically enforced. In this research in progress study, we examined the effect of different contextualized persuasion communication strategies when the employees are asked to change the password. The persuasion communication strategies were designed based on persuasion theory and Protection Motivation Theory (PMT). We conducted large scale field experiments with 13985 participants at a university in Finland. Both students and staff are involved in the field experiment, and they received email messages with different contexts to persuade them to change the password of their university account. Participants were not aware of the purpose of the study, and the actual password change results were recorded. Analysis revealed that persuasion techniques and fear appeals both improved password change rates. Among the four persuasions techniques examined, persuasion based on consistency with university rules resulted in the highest password change rates, comparing to persuasion based on reciprocity, references to authority, and efficacy of the prevention procedure. Fear appeals, comparing to persuasion techniques which does not include harms or threats, have higher likelihood to persuade users to change their passwords. Regarding the effects of the PMT related factors in fear appeals, though post-hoc analysis offered some clues that high personal relevance of the threat and high severity of the threat may lead to higher password change rates, the support was partial and further investigation needs to be done. In addition, we found that in all the experimental groups, university staffs consistently had higher password change rates comparing to students. Interviews are ongoing in order to find more insights to explain the results.

Paper 13: An Exploration of Language Acts of Persuasion in Phishing Emails

Rohit Valecha, Rui Chen, Teju Herath, Arun Vishwanath, Jingguo Wang, H. Raghav Rao

Phishing is an attempt to acquire sensitive information from a user by malicious means. The losses due to phishing have exceeded a trillion dollars globally. Phishers often use persuasion techniques1 to get positive responses from the recipients. However, very little attention has been paid to persuasion techniques within phishing contexts. In this paper, we explore the linguistic features-language acts-related to phisher's persuasion techniques. We address the research question: how are the phishers' language acts related to their persuasion techniques within phishing emails? This research characterizes language acts used by phishers for persuading potential victims.

Paper 14: No Fear: Investigating Psychopathy and Information Security Policy Compliance in Relation to Insider Threat

Michele Maasberg, John Warren, Nicole Beebe, Glenn Dietrich

Organizational information security policies (ISP) are a risk mitigation strategy employed by organizations in order to prevent insider abuse of information systems. Tactics such as persuasive messages in the form of fear appeals are often employed in conjunction with ISP in order to enhance probability of compliance. However, employees exhibiting Dark Triad personality traits, specifically psychopathy, may be resistant to fear appeals tactics due to a correlation of psychopathy with low fear or anxiety. The purpose of our study is to examine the construct of psychopathy in the context of a fear appeals strategy regarding ISP compliance in order to determine its impact on this population. We draw on extant literature and propose a model based on the Theory of Planned Behavior, Fear Appeals, and psychologically based emotional research to explain the process of fear appeals on ISP compliance. We then introduce psychopathy as a negatively moderating construct in relation to the generation of arousal of fear or anxiety. We present seven hypotheses regarding these relationships. This research has implications for both practitioners and researchers in the behavioral insider threat realm.

Paper 15: Deviant Insider Threat Profiling: A Plan for Research and Development

Sam Thompson, Allen Johnston, Mark Keith

Organizational insiders with the requisite capabilities, motivation, and opportunity (CMO) can have a severe, negative impact on an organization's performance. Preventing incidents with such negative impacts from occurring may be undertaken via psychological profiling of these insiders. Researchers and practitioners are developing potential threat profiles that will aid in the early identification of interviewees and employees who are likely to commit insider abuse. However, there are critical limitations of existing threat detection techniques (e.g. too many false positives, too much data to review in a timely manner, not enough context) (Robinson, 2014) and the majority of scholars' efforts have been toward the profiling of cyber criminals, in general, as opposed to organizational deviant insiders. If these limitations can be overcome, organizations could save significant financial costs and reputation loss resulting from deviant insiders. The overarching purpose of this research is to help overcome these limitations and organizations in the identification of potentially deviant insiders by developing a psychological profile of deviant insiders and testing the profile through the use of a psychological gaming artifact.

Paper 16: Form Auto-Completion Tools Designed for Elaboration: Overcoming the Deleterious Effects of Decisional Heuristics on Users' Privacy

Burcu Bulgurcu, Bart Knijnenburg

Modern web browsers provide users with auto-completion tools to reduce the burden of filling out online forms. Despite the widespread adoption of these tools and the range of benefits they offer, little is known about the negative implications of their use. This paper examines the mechanisms underlying the information disclosure decisions of auto-completion tool users. Building on literature on the privacy calculus, heuristic decision making, and the Elaboration Likelihood Model (ELM), we argue that traditional auto-completion tools significantly diminish the deliberateness of users' information privacy- related decision making, and in turn result in overdisclosure of personal information. To mitigate these adverse effects, we propose two alternative design solutions with "add" and "remove" buttons. The results of our online experiments support the following: (1) users disclose significantly more information when they are presented with the traditional auto-completion tool than with the proposed alternative tools, which help users be more mindful in their decision making, (2) purpose-specify (i.e., the fit between context and requested information) is a primary antecedent of users' disclosure behavior, but only for users of the alternative tools, (3) although both of the proposed tools help mitigate the argued vulnerability, users prefer the add tool over the remove tool. Overall, our findings suggest that users can be encouraged to exert effort to protect their privacy and they prefer systems that help them do so.

Paper 17: The Right to be Forgotten: Exploring Consumer Privacy Attitudes About the Final Stage of the Information Life Cycle

Paul Steinbart, Mark Keith, Jeffry Babb

Until now, privacy research has neglected the last stage of the information life cycle: deletion. Concern about secure deletion of information, however, is growing, particularly with regard to information posted in social networking sites. Stories about how such information can harm careers have led to discussion of a "right to be forgotten" (RTBF). We survey consumers to understand their attitudes about this proposed RTBF and find that it is distinct from previously validated first-order privacy constructs. We also find that digital natives and digital immigrants have different attitudes about the RTBF. Our results have important implications for both research and practice.

Paper 18: Autonomous and Interdependent: Collaborative Privacy Responses on Social Network Sites

Haiyan Jia, Heng Xu

Although information sharing on social networking sites (SNSs) usually involves multiple stakeholders, limited attention has been paid so far to conceptualizing the management of the shared information as a collaborative process. To fill this gap in the literature, we propose the conception of collaborative privacy responses and develop a survey instrument to measure privacy management strategies involving co-owners of shared content. By conducting two online surveys (N = 304, 427) with different samples, we assess the validity of the scale and reveal findings of how individuals protect online privacy collaboratively and how individuals' autonomous decision making regarding privacy management is shaped by the interdependent use of SNS with their social connections. To the best of our knowledge, this paper is one of the first to conceptualize and to develop a scale of collaborative privacy responses. We discuss theoretical implications to privacy research and suggest design guidelines for better supporting users' needs for collaborating with their social ties to achieve privacy goals.