The 2016 Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.11/WG11.13

Program chairs: Manish Agrawal, Rachida Parks, Jeff Jenkins

Conference Proceedings

Proceedings Editor: Anthony Vance

Download all papers here.

Paper 1: Information Security Restrictiveness: A Sociotechnical Perspective on Password Policies

Jeffrey Babb, Mark Keith, Paul Steinbart

Frequently, security policies impose acutely proscriptive and prescriptive constraints on user authentication behavior in order to assure the availability and integrity of an information system. In effort to balance availability with security, this paper explores whether a socio-technical perspective on authentication policy may explain why highly elaborate and restrictive authentication and password policies may stymie a user's "harmony" with an information system. In this case, user discord with authentication policy (a social sub-system), brought about by policy implementation in the technical sub-system (password controls), may adversely impact overall security by introducing unintended consequences in the social system. Accordingly, this research investigates the following premise: if a desired state of system security can be achieved with a policy that affords the user a range of behavioral options, would the user be more likely to comply with the policy? To wit, can flexibility within the social sub-system ameliorate perceived negative aspects commonly attributed to the technical sub-system as they relate to password authentication? We present findings from a field experiment in the context of password selection where secure behavior was enhanced by relaxing proscription and prescription by allowing universal cues in additional feedback tools to take precedence over explicit behavioral requirements.

Paper 2: Exploring the Gap Between Intent and Actual Security Behavior by Evaluating the Use of Password Manager Applications Among Home End-Users

Sal Aurigemma, Tom Mattson, Lori Leondard

In this paper, we explore the voluntary use of password manager applications by college students to address a decades-old and ubiquitous security problem of poor password management (the use of weak and/or reused passwords) by home end-users. In the first part of a multi-phased and mixed-method study, we introduce and measure both intent and actual use of password manager applications by 283 college students after receiving a fear appeal message about poor password management. Although the fear induced from the message showed a strong and significant impact on behavioral intent, participants reported little inclination to use a password manager application, which played out as only 13% actually installed and started using the application within a week of exposure to the security tool. Ongoing thematic analysis exploring the gap between intent and actual behavior has identified perceived lack of resources (time) and effort required to install and use the security tool as the primary behavioral inhibitor while the strongest behavioral enabler was a belief in the response efficacy of the recommended security tool. Using the results of these analyses, we are updating the poor password management threat message to reduce the impact of identified security behavior inhibitors and include more emphasis on volitional prompts on how to use password managers, which will be evaluated in the next phase of the study.

Paper 3: Towards Reticulated State Model for Adoption, Use, and Rejection of the Protective Technologies

Piia Perälä, Mikko Siponen, and Tiina Koskelainen

Billions of Internet-connected devices are potential targets for cyber-attacks from anywhere around the world. The potential threat is not only to personal privacy, information, and assets, but hijacked Internet devices also can be used to commit illegal acts against others, such as launching cyber-attacks against other Internet users, companies, and governments.

Paper 4: I Can't Spot the Difference: An Eye Tracking Study Examining Generalization between Security Warnings and System Notifications

Bonnie Brinton Anderson, Anthony Vance, Jeffrey L. Jenkins, Brock Kirwan, and Daniel Bjornn

Habituation to security warnings—the diminished response to a warning with repeated exposures—is a well-recognized problem in information security. However, the scope of this problem may actually be much greater than previously thought because of the neurobiological phenomenon of generalization. Whereas habituation describes a diminished response with repetitions of the same stimulus, generalization occurs when habituation to one stimulus carries over to other novel stimuli that are similar in appearance. Because software user interface guidelines call for visual consistency, many notifications and warnings share a similar appearance. Unfortunately, generalization suggests that users may already be deeply habituated to a warning they have never seen before because of exposure to other notifications. In this work-in-progress study, we propose an eye tracking experiment to examine how habituation to frequent software notifications generalizes to infrequent security warnings. Our results can guide efforts to design security warnings that are to resistant the effects of generalization.

Paper 5: On the use of motivational components as attention hooks in security message interface design: Avoiding "tl;dr"

David Eargle, Dennis Galletta, Lorrie Cranor

Attacks on information security continue to be reported in the media, and result in large losses for organizations. Oftentimes, the breaches occur because organizational insiders fail to adhere to commonplace system security messages. This could be because, faced with the challenges and time demands of everyday stressors, security policy compliance can be costly for individuals; security actions require time and distract attention from other primary tasks. To defend against these attacks, user interactions with security messages need to be better understood, and user attention to, comprehension of, and adherence to the security messages need to be improved. This work reports two endeavors into enhancing users' perceptions of threat severity and threat susceptibility while being exposed to security messages through the use of motivational interface elements. First, insights are reported from an eight-participant focus group about the wording of motivational statements in security messages. Second, an online MTurk field study is proposed which can compare the performance of incorporating motivational components of threat severity and threat susceptibility into security messages as attention hooks. We intend to collect and analyze results from the second study in time to present them at IFIP 2016.

Paper 6: Priming to Elicit Protection Motivated Behaviors: A Research Proposal

Randall Minas, Allen C. Johnston, Merrill Warkentin, Alan R. Dennis, Phillip Menard

Security Education, Training, and Awareness (SETA) programs have long been used to persuade computer users to comply with security policies and engage in behaviors that will protect their information resources from security threats. SETA messages often include statements designed to influence recipients' appraisal of a threat and of the recommended response to the threat. However, these messages only trigger an effective response if users cognitively process the statements in the message. To explore strategies and techniques to improve the effectiveness of these messages, we propose three candidate studies that use priming to understand three factors that may influence the extent to which a user cognitively processes the message. We seek to gain insight into which study could provide the greatest contribution to our knowledge about priming, protection motivation theory (PMT), and the Elaboration Likelihood Model (ELM) in the context of information security behaviors. We also propose to use NeuroIS, specifically EEG, to examine the changes in cognition that these three priming stimuli trigger.

Paper 7: Validating Formative Self-Efficacy for Computer Security Solutions

Thomas Stafford, Robin Poston

Research continues to demonstrate that consumers are apathetic about protecting themselves from computer security threats posed by spyware exploits, which often lead to identity theft and computer performance degradations. Motivational perspectives drawn from healthcare research have often been utilized as a context in which to investigate consumer reticence to engage in safe computing, leveraging a "disease metaphor" for computer security exploits. However, the theoretical context in which such studies are embedded, Protection Motivation Theory, implies controversial specifications of the key intervening self-efficacy construct in measurement models when such models are employed to study technology protection, in line with recent self-efficacy research in the computer training literature. Computer-based self-efficacy is a critical intervening construct in the theoretical specification of Protection Motivation employed to study cybersecurity behavior, and while the research tradition of Protection Motivation drawn from the healthcare research has typically treated the key self-efficacy concept as a reflectively measured construct, applications of the Protection Motivation model (PMM) to computer scenarios suggest the possibility that a formative measurement model for self-efficacy might be more appropriate. We utilize a basic Protection Motivation model as a nomological network in which to embed a demonstration of formative validation of computer self-efficacy for anti-spyware applications, and we report on the procedure and outcomes of this process here.

Paper 8: Reward-based and Risk-based Persuasion in Phishing Emails

Rohit Valecha, Rui Chen, Teju Herath, Arun Vishwanath, Jingguo Wang, H. Raghav Rao

Phishing is an attempt to acquire sensitive information from a user by malicious means. The losses due to phishing have exceeded a trillion dollars globally. Phishers often use persuasion techniques to get positive responses from the recipients. In investigating phishing persuasion, literature has largely examined reward-based persuasion techniques i.e. those offering a reward for compliance. Very little attention has been paid to risk-based persuasion techniques (i.e. those describing the risk of non-compliance) within phishing contexts. In this paper, we explore phishers' reward-based and risk-based persuasion techniques by addressing the research question: How do reward-based and risk-based persuasion techniques affect the likelihood of responding to phishing emails? Such research is useful because a deeper understanding of persuasion techniques can inform the design of effective countermeasures for detecting and blocking phishing messages.

Paper 9: Improving Information Security Through Reduced Incongruity of Risk Perceptions: A Dialogical Action Research study

Gurvirender P.S. Tejay, Derek Sedlak

A critical overreliance on the technical dimension of information security has recently shifted toward more robust, organizationally focused information security methods to countermand large losses from computer security incidents. Developing a more balanced approach is required since protecting information is not an all or nothing proposition. Inaccurate tradeoffs resulting from misidentified risk severity based on organizational group perceptions related to information risk form information security gaps. This study applies dialogical action research to study the information security gap created by incongruent perceptions of organizational members related to information risk among different stakeholder communities. A new model, the Information Security Improvement model, based on Technological Frames of Reference, is proposed and tested to improve information security through reduced member incongruity. The model proved useful in realigning incongruent perceptions related to information risk within the studied organization. A process for identifying disparate information characteristics and potential influencing factors is also presented. The research suggested that the model is flexible and extensible, within the organizational context, and may be used to study incongruent individual perceptions or larger groups such as departments or divisions.

Paper 10: Does Risk Disposition Play a Role in Influencing Decisions to Behave Securely?

Sanjay Goel, Merrill Warkentin, Kevin Williams, Karen Renaud

Employees continue to be the weakest link in an organizational security ecosystem, exposing organizational assets through carelessness, malicious threats, or apathy towards security poli- cies. Security-related decision making is a complex process that is driven by an individual's risk perception, self-efficacy, and their propensity to accept risks. Existing behavioral security re- search on user security behavior is rooted in models based on rational choice theory such as protection motivation theory and deterrence theory, both of which focus on using fear appeals and punishments to prompt desired security behavior. Recent research on human rationality suggests that security-related decision making is far more complex and nuanced, not a simple carrot-and-stick related process, and not necessarily grounded in rational reasoning. In reality, a combination of dispositional and situational factors is likely to interact to influence security decisions. In this paper we explore the role of one particular dispositional factor, individual risk acceptance vs. risk aversion. While not refuting the influence of other factors, we argue that this factor plays a key role in influencing security behaviors. We propose a model that depicts the impact of individual dispositional risk propensity and situational risk perception on employees' security-related decisions. We believe this model will lay a foundation for de- signing effective security compliance interventions.

Paper 11: Avoiding Data Risk: Theory of Secure Information Sharing

Richard L. Baskerville, Mala Kaul

Cyber-security threats are becoming increasingly commonplace and organizations face challenges balancing the advantages accrued through the use of technology, with securing their information infrastructures to prevent security incidents including data breaches. Security breaches can result in leaking sensitive information, identity theft, financial losses, damage to reputation, and lawsuits or penalties. To make well informed decisions, there is a critical need for information security risk-management benchmarking. Such benchmarking data depends on the availability of industry-wide data on security breaches and losses. However, privacy concerns create a major obstacle in the collection of such data since most organizations are hesitant to share sensitive information. This research offers a theoretical framework for improving collaboration and sharing of security related information through risk avoidance. We propose that the risk of data disclosure will be avoided if organizations share only aggregated information about their security incidents, and that the risk of disclosure will be avoided if the shared information is not traceable to the individual organizations. This reduces the reluctance of organizations to share sensitive metrics, by allowing them to anonymously contribute to aggregate security assessment results within a network of peers, while not storing or releasing the raw data outside the organization.

Paper 12: Does Emotion Predict Information Security Behaviors in the Workplace? A New Theoretical Exploration

Carol Hsu, Feng Xu and Xin Luo

Mitigating insider threats has been an important academic and managerial agenda in the area of information systems (IS) security management, given that employees are considered as top vulnerabilities and the source of security attack in a number of industry reports (Ernst & Young 2014, 2015; PwC 2015). Within the IS security literature, a noticeable number of studies have also adopted various theoretical angles on the deterrence of employees' compute misuse behaviors (D'Arcy, Hovav, & Galletta, 2009; Hu, Xu, Dinev, & Ling, 2011; Straub, 1990; Straub & Welke, 1998). While valuable, Willison and Warkentin (2013) have raised attention on the importance of "pre-kinetic events" in the security context and put forward that "the fact that phenomena which exist temporally prior to deterrencee have rarely been addressed by IS researchers" (p.5). Speciall, the interplay between organization and employees, such as workplace disgruntment, expressive motives and neurtralization, influences the effectiveness of IS security countermeasures (Willison & Warkentin, 2013). Among their proposed research directions for "pre-kinetic events", one interesting possibilty lies on "examining the relationship between emotions and deterrence would represent a new stream of research for the IS security field" (p.10). Prior research has found that it may be incomplete for the theories of decision making if omitting the role of emotion (Carmichael & Piquero, 2004; Frazier & Meisenhelder, 1985).

Paper 13: The Influence of a Good Relationship Between the Internal Audit and Information Security Functions on Information Security Outcomes

Paul Steinbart, Robyn Raschke, Graham Gal and William Dilla

Given the increasing financial impact of cyber-crime, it has become critical for companies to manage information security risk. The Internal Audit function (IAF) plays an important role in providing assurance with respect to information security. The profession has long recognized that the value realized from their assurance activities depends, in part, on the quality of the relationship between the IAF and the managers directly responsible for information security. Nevertheless, there is scant empirical evidence to support this belief. Using a unique data set, this study examines how the quality of the relationship between the internal audit and the information security functions affects objective measures of the overall effectiveness of an organization's information security efforts. Top management support for information security and having the chief information security officer (CISO) report independently of the IT function have a positive effect on the quality of the relationship between the two functions, In turn the quality of this relationship, has a positive association with objective information security outcomes. These results have significant implications for both research and practice.

Paper 14: Information Security Policy Violations in the Workplace: A Cross-Level Approach

Dawei Wang, Alexandra Durcikova and Alan Dennis

Promoting employees' compliance with information security policy (ISP) has long been a focus of information security research. The vast majority of ISP violation studies have focused primarily on exploring various antecedents of ISP violations at individual level. That is, how information security countermeasures or individual differences affect individual employee intention to violate ISP. We argue that an individual's ISP violation behavior is not only determined by individual-level factors such as information security countermeasures or individual differences, but also by contextual factors. In this conceptual paper, drawing upon social influence theory we propose that individual employee's ISP violation can also be strongly influenced by other people in a workgroup. In addition, we explain that this contagion effect of improper behavior can be mitigated by micro-level factors (e.g., social-control) and meso-level factors (task interdependence, closeness of supervision, team-member exchange). Theoretical and practical implications are discussed.

Paper 15: Grounded Theory Approach to Conceptualizing Information Security Policy Violations at a Higher Education Institute

Kennedy Njenga and Maureen van Den Bergh

Data breach in the form of Information Security Policy (ISP) violations in the education sector are becoming commonplace. The focus of this study is to examine these violations and to generate unique insights underlying ISP violations within the context of a Higher Educational Institution (HEI). HEIs are uniquely different from other business contexts since information sharing is predominantly encouraged. It is the underlying sharing of information that characterizes many security policy violations in this sector. This aspect has been overlooked in Information Systems (IS) security literature. The use of grounded theory in this work presents insightful behavioral features in a selected HEI and generates a substantive theory of these violations in said context. Key categories that emerge from the grounded theory methodology is that there are diverse tensions between norms, attachment and commitment to work that shape ISP violations differently. These tensions address different ISP violation outcomes namely; Relational Conflict, Disposition and Cognitive Consistency (or lack thereof). Our model proposes that imbalances in these three tensions will most likely result in ISP violations in HEIs. The implications for this model are discussed within the main body of this work. Data breach in the form of Information Security Policy (ISP) violations in the education sector are becoming commonplace. The focus of this study is to examine these violations and to generate unique insights underlying ISP violations within the context of a Higher Educational Institution (HEI). HEIs are uniquely different from other business contexts since information sharing is predominantly encouraged. It is the underlying sharing of information that characterizes many security policy violations in this sector. This aspect has been overlooked in Information Systems (IS) security literature. The use of grounded theory in this work presents insightful behavioral features in a selected HEI and generates a substantive theory of these violations in said context. Key categories that emerge from the grounded theory methodology is that there are diverse tensions between norms, attachment and commitment to work that shape ISP violations differently. These tensions address different ISP violation outcomes namely; Relational Conflict, Disposition and Cognitive Consistency (or lack thereof). Our model proposes that imbalances in these three tensions will most likely result in ISP violations in HEIs. The implications for this model are discussed within the main body of this work. Data breach in the form of Information Security Policy (ISP) violations in the education sector are becoming commonplace. The focus of this study is to examine these violations and to generate unique insights underlying ISP violations within the context of a Higher Educational Institution (HEI). HEIs are uniquely different from other business contexts since information sharing is predominantly encouraged. It is the underlying sharing of information that characterizes many security policy violations in this sector. This aspect has been overlooked in Information Systems (IS) security literature. The use of grounded theory in this work presents insightful behavioral features in a selected HEI and generates a substantive theory of these violations in said context. Key categories that emerge from the grounded theory methodology is that there are diverse tensions between norms, attachment and commitment to work that shape ISP violations differently. These tensions address different ISP violation outcomes namely; Relational Conflict, Disposition and Cognitive Consistency (or lack thereof). Our model proposes that imbalances in these three tensions will most likely result in ISP violations in HEIs. The implications for this model are discussed within the main body of this work. Data breach in the form of Information Security Policy (ISP) violations in the education sector are becoming commonplace. The focus of this study is to examine these violations and to generate unique insights underlying ISP violations within the context of a Higher Educational Institution (HEI). HEIs are uniquely different from other business contexts since information sharing is predominantly encouraged. It is the underlying sharing of information that characterizes many security policy violations in this sector. This aspect has been overlooked in Information Systems (IS) security literature. The use of grounded theory in this work presents insightful behavioral features in a selected HEI and generates a substantive theory of these violations in said context. Key categories that emerge from the grounded theory methodology is that there are diverse tensions between norms, attachment and commitment to work that shape ISP violations differently. These tensions address different ISP violation outcomes namely; Relational Conflict, Disposition and Cognitive Consistency (or lack thereof). Our model proposes that imbalances in these three tensions will most likely result in ISP violations in HEIs. The implications for this model are discussed within the main body of this work. Data breach in the form of Information Security Policy (ISP) violations in the education sector are becoming commonplace. The focus of this study is to examine these violations and to generate unique insights underlying ISP violations within the context of a Higher Educational Institution (HEI). HEIs are uniquely different from other business contexts since information sharing is predominantly encouraged. It is the underlying sharing of information that characterizes many security policy violations in this sector. This aspect has been overlooked in Information Systems (IS) security literature. The use of grounded theory in this work presents insightful behavioral features in a selected HEI and generates a substantive theory of these violations in said context. Key categories that emerge from the grounded theory methodology is that there are diverse tensions between norms, attachment and commitment to work that shape ISP violations differently. These tensions address different ISP violation outcomes namely; Relational Conflict, Disposition and Cognitive Consistency (or lack thereof). Our model proposes that imbalances in these three tensions will most likely result in ISP violations in HEIs. The implications for this model are discussed within the main body of this work.

Paper 16: Unveiling the Role of Individual Resilience to Cyber-terrorism: An Empirical Investigation

Jian Hua, Yan Chen and Robert Luo

This study aims to explore antecedents of individual resilience and its consequent economic behavior. In essence, this study examines the relationship between individual resilience and their economic resilient behavior, discovers the role of fear in individual economic resilient behavior, and explores the antecedents of individual resilience. By proposing to empirically validate the proposed research model, this study develops the individual economic resilient behavior model to predict individual behavior after cyber- terrorism attacks by adopting resilience literature and fear appraisal literature. This study adopted the proper fear appeals manipulations. The primary research questions in this study are: 1) How does individual resilience influence individual economic resilient behavior? 2) What are the antecedents of individual resilience? 3) How fear plays a role in individual economic resilient behavior? The findings of this study are expected to provide recommendations to make civilians more resilient after cyber-terrorism attacks on financial systems. These findings may also be generalized to other terrorist attacks and help understand the impact of individual resilience.

Paper 17: Differences in Cybersecurity Behavior between Cyber Offender and Cyber Defender

Hwee-Joo Kam and Shuyuan Mary Ho

System vulnerabilities have caused individuals and organizations to suffer from loss of valuable information, loss of millions of dollars, and privacy violation. To address this issue, this study examines the interactive behaviors between system engineers and penetration testers based upon the Activity Theory. By uncovering how and why conflicts exist during the interactions between these professionals, this study will gain insights of the diverse values espoused by each professional group. Cyber offense is alluded to penetration testing because penetration testers assess system vulnerabilities using techniques that emulate the real-life Cyberattack. In contrast, Cyber defense is alluded to system engineering because system engineers protect a system in addition to enabling system functionalities. The research findings will close the gap between Cyber offense and Cyber defense to suggest viable solutions for secure system administration.

Paper 18: Predicting Secure Home Wireless Behavior

Justin Giboney

There are two major components to acting securely: information security knowledge and information security self-efficacy. Information security knowledge allows people to understand the steps they need to do to securing themselves or their businesses from digital threats (Be_langer and Crossler 2011; Bulgurcu et al. 2010; D'Arcy et al. 2009; Siponen 2000). Information security self-efficacy allows people to feel confident that they can follow those steps to achieve ideal outcomes (D'Arcy and Herath 2011). Researchers, typically use the two as independent antecedents to security behavior (e.g., Bulgurcu et al. 2010). While researchers have investigated the connection between the two, they have usually investigated specific contextual knowledge (e.g., Tu et al. 2015). This paper studies the relationship between knowledge, self-efficacy, and performance.