The 2017 Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.11/WG11.13

Program chairs: Burcu Bulgurcu, Jeffrey Wall, Jingguo Wang

Conference Proceedings

Proceedings Editor: Anthony Vance

Download all papers here.

Paper 1: Integrating Outcome Oriented Policy in Information Security Policies: An Examination of Security Perceptions, Motivations, and Intentions

Jeffrey Wall and Mary Buche

With security breaches occurring regularly, organizations must employ strong security countermeasures to protect private, valuable information. Organizational insiders pose a major threat to the security of organizations by direct and intentional misuse of information assets and by the careless and negligent use of information. Developing strong information security policy (ISP) is important to thwarting insider security threats. To date, behavioral information security research has primarily examined ISP from a procedural viewpoint. Outcome-oriented security policy is understudied, but may allow for greater self-determination that motivates stronger security behavior. This research-in-progress proposes a study of security policy to determine how the inclusion of outcome-oriented security policy influences insiders' motivations to improve security efforts and intentions to follow procedural security policy. An experiment is proposed to test the hypotheses.

Paper 2: Qualifying Quantitative Measurement of Information Systems Security Behavior: Qualitative Contributions to Neurocognitive Data Collection

Tom Stafford

In the process of collecting biometric data in neurocognitive research labs, the investigator also has numerous opportunities to directly observe both subject behavior and subject responses to neurocognitive measures in real time. As a result, investigators can have the opportunity to take note of and interpretatively analyze unusual responses and may elect to engage in directed interviews with subjects after the neurocognitive data collection process has finished in order to better understand unusual responses observed during the research encounter. This process leads to a melding of quantitative data collection with the interpretation of qualitative subject interviews thus serving to "qualify" the nature of the quantitative data being collected. A number of interpretive insights into the neurocognitive phenomenon of study can be gained by careful observation of subject behavior and close monitoring of biometric sensor data flows during data collection, as well as through judicious interaction with the subjects at the end of neurocognitive data collection sessions. This paper reports on the serendipitous qualitative illuminations that arose in a study of cybersecurity behaviors. Computer cybersecurity is threatened not only by external exploits and malware attacks; it is also threatened by computer user apathy and laxity toward pro-security behaviors, arising from the naive dependence upon technology solutions and computing platforms for computer protection, absent user involvement. Our qualitative analysis of unexpected subject responses to cybersecurity stimuli in the neurocognitive laboratory informed an emerging theory of Cybersecurity Loafing, which is explicated here.

Paper 3: Beyond Extra-Role Security Behaviors in Large Corporate Settings: The Case of "Tribal Security"

Yaojie Li, Tom Stafford, Selwyn Ellis, Bryan Fuller

In this research, we intended to investigate the nature of employee extra-role security behaviors. Extra role security behaviors are security actions that may seem to go beyond requirements and limitations of established security policies. In our field study, we expected to investigate how employees might sometimes take steps beyond the requirements of the organizational-level security policy in order to facilitate effective workgroup operation and to assist less-skilled colleagues. What we learned, instead, was that there are at least two different ways in which security is viewed in firms, and only one of them is accessible to company management. So, while we set out to understand extra-role security behaviors in a qualitative scenario with a Fortune 500 company, we instead learned of formal and informal security cultures operating in parallel and in isolation from each other within the firm. At the top, there was the formal company culture which is explicated in the Information Security Policy and serves as a mechanism of formal governance. In the workgroup we studied, however, there was an informal culture of "local security," which served to support workgroup efficacy and task cohesion; these workgroup security norms were not always in direct accordance with top-line company policy. This represents a juxtaposition of the security culture of the intimate close-knit workgroup, which we characterize as a "Tribe," in counterpoint to the formal security policies of the overall firm. Each of these security cultures is specific and well understood by its separate proponents, but the distinctions between the two are important to understand as an aspect of security governance in large and complex organizations.

Paper 4: The "Take No Action Paradox": Media Dependency's Influence on Post-Attack Protective Behavior

Anat Hovav, Jinyoung Han

Industry reports suggest that the cost of cyber security attacks is in the millions of dollars. For example, experts estimated the cost of the Sony attack to be $100 Million, listing mostly tangible costs such as the cost to investigate, repair and prevent future attacks. The costs incurred by Target and Home Depot are similar in magnitude. The Ponemon Institute (2016) report found that security breaches cost on average $4 Million, citing customers' loss of trust as the largest financial consequence to organizations that post a data breach. Academic research has viewed losses from cyber attacks in a similar manner. Tangible losses include the cost to contain and repair, loss of productivity and system downtime, while intangible losses may result from loss of reputation, trust and customer loyalty. Yet, to date, academic research regarding the financial impact of cyber attacks on attacked companies failed to find consistent losses across the board. Furthermore, industry reports suggest that negative publicity following an attack often results in loss of consumers' confidence, abnormal customer churn, slower new customers' acquisition, and opportunity cost. These effects were especially noticeable for breaches that involved customers' data. Thus, a common assumption of both academic research and industry analysts is that consumers will react negatively to a security breach. Yet, this assertion has not been tested theoretically or statistically in academic settings. The goal of this work is to investigate the effect of media reporting of an attack on the public's reaction. Specifically, we are interested in the reactions and actions taken by consumers whose data was breached and consumers who have heard of the breach but were not affected. To do so, we collected data immediately after a major breach where millions of credit cards were stolen from three major credit card companies in South Korea. We found that for the non-attacked group, media dependency increases anxiety and subsequent intention to engage in protective behavior. The company's post-attack reaction had no significant influence on the intention to engage in protective behavior. The results for the attacked group were significantly different. Although media dependency increases anxiety, neither increases actual post-attack protective behavior. Similarly, the company's post-attack reaction had no significant effect on the attacked group's protective behavior. These results suggest that while consumers intend to make fundamental changes if their personal data is breached, very few consumers actually make these changes.

Paper 5: The Travel of Privacy Guidelines

Chad Anderson, Richard Baskerville, Mala Kaul

Increasing dependence on technology by organizations and individual consumers has resulted in a profusion of information security and privacy regulations and standards to protect the individual's personal information as well as the entities collecting that information and charged with safeguarding it. Most security and privacy guidelines and standards carry a degree of universality while being flexible to enable adaptation and compliance with local requirements and regulations. However, our research into the development and enactment of the security and privacy policies of a health information exchange demonstrates that the journey of privacy guidelines from global standards to their ultimate enactment in an organizational setting is accompanied by a number of translations, such that the final implementation may differ extensively from its original form. We use translation theory to examine the travel of privacy guidelines through multiple translations to explain how security guidelines and standards are adapted to discrete settings. This has important theoretical and practical implications for information privacy regulation, by providing a holistic, yet, purpose-specific view of information privacy, and an example of the application of global and local considerations to standards setting and execution.

Paper 6: Toward a Contingency Framework of Information Security Control: Markets, Bureaucracies, and Symbols

Yaojie Li

This paper conceptualizes information security control in contemporary organizations by drawing upon behavioral control theories from the organizational design and structure literature, and by examining varying control modes in security contingency scenarios. An information security control triad model is offered: markets, bureaucracies, and symbols. From that, we propose a dynamic portfolio of information security controls by which an organization can efficiently and effectively achieve its information security objectives while addressing shortcomings and limitations of individual security control mechanisms in complex and rapidly-changing environments. We specify future research that leverages qualitative case studies in order to fully understand and interpret organizational information security controls in different settings.

Paper 7: A Qualitative Study of Multilevel Information Privacy Norms

France Belanger, Tabitha James

There is abundant privacy research focusing on concerns of citizens and negative outcomes related to disclosure of information. However, sharing personal information with others can be a positive relationship-building activity. In fact, individuals and groups often carefully manage the distribution of their information (i.e., what is distributed and to whom) to advance strategic interests. Yet, there is limited research focusing on factors that shape individual and group information and interaction management guidelines (i.e., privacy norms), how their formation differs among groups, and how they affect privacy decisions. Drawing on social psychology literature, we propose a framework for the development of individual and group privacy norms and their relationships to privacy decisions and behaviors. To explore the framework, we conduct a series of interviews with 16 individuals within two formal groups. Results of the analyses of the collected data will be presented at the conference.

Paper 8: I Get So Emotional Baby! The Interplay of Security-Related Stress, Emotions, And Neutralization of ISP Violations

John D'Arcy, Pei-Lee Teh

In this paper we conceptualize security-related stress (SRS) as an affect-laden work event and propose a theoretical model that links SRS, discrete emotions, coping response, and information security policy (ISP) compliance on a within-individual basis. To test the model, we used an experience sampling design in which 138 computer-using professionals completed surveys on a Monday-Wednesday-Friday schedule over a three week period. The results showed that instances of SRS had a positive association with both frustration and fatigue, and these negative emotions were in turn associated with neutralization of ISP violations, which itself predicted ISP compliance behavior. Results of an additional analysis suggest that feelings of frustration and fatigue from security requirements make employees more likely to follow through on their rationalizations of ISP violations by means of decreased ISP compliance. Overall, our findings support the position that SRS has an episodic dimension with affective consequences. They also provide evidence that neutralization is not a completely stable phenomenon, but instead can vary within individuals from one point in time to the next. We discuss the implications of our findings for research and practice.

Paper 9: Resolving the Privacy Policy Paradox with Content-Optimized Videos

Mark J. Keith, K. Shane Reeves, Jacob T. Frederickson, Jeffry Babb

Because privacy policies are not sufficiently understandable and engaging, consumers often ignore them, foregoing the rational risk/benefit analysis described in privacy calculus theory, and allow transaction partners to access their personal information. Companies are faced with a paradox in that privacy policies need to meet two competing objectives: (1) fulfill legal obligations by comprehensively disclosing all information regarding the company's data practices, and (2) resolve consumers' privacy concerns by engaging their attention and being easily understandable. As prior research has demonstrated, the amount of information provided in a privacy policy does not have a linear effect on consumer disclosure. We therefore examine both how different amounts and types of provider-disclosed information (what data will be collected, how it will be used, and with whom it will be shared) affect consumers' perceived risk and eventual disclosure decisions as well as the effectiveness of video versus text as a medium for communicating privacy policies. To explain the surprising effect of privacy policy content on consumer information disclosure, we integrate multiple theories into a core model based on privacy calculus. We tested our model, including the efficacy of video versus text, by creating nine versions of a privacy policy disclosure script for a hypothetical mobile app and implementing each version both in traditional text form and through a commercial-like video. To simulate real privacy risk perceptions, we recruited participants under the false premise that they were part of a consumer study for a real forthcoming mobile app. The results indicate that different types of provider-disclosed information have different effects on consumer data disclosure and that the video medium causes consumers to remain engaged longer and to be impacted more by the information in the privacy policy.

Paper 10: A Proposal to Recondition Learned Security Behaviors to Improve User Response to Phishing Emails

Sanjay Goel, Alan Dennis, Kevin Williams, Jeffry Babb

Researchers have attempted to manipulate user security behavior to make it compliant with security policies of the organization. Most of the manipulation relies on system 2 thinking where a user carefully examines the situation before taking; we contend that a lot of users never get to system 2 thinking and follow the system 1 route and make an non conscious security decision. In this research, we seek to break users' non conscious automatic cognition (system 1) and re-conditioning them to not automatically make security decisions that can be detrimental to security (e.g. clicking on links). We then train users through multiple contexts to invoke system 2's deeper level of thinking such that they can distinguish between fraudulent and benign messages to make an informed security decision. This paper presents the blueprint of the research and our research plan.

Paper 11: A Multi-Level Model of Phishing Email Detection

Rohit Valecha, Azmeena Narsingani, Rui Chen, Teju Herath, Jingguo Wang, H. Raghav Rao

Phishing is an attempt to acquire sensitive information from a user by malicious means. The losses due to phishing have exceeded a trillion dollars globally. Phishers often use persuasion techniques to get positive responses from the recipients. In investigating phishing persuasion, literature has largely examined gain-based frames i.e. those offering a reward for compliance. Very little attention has been paid to loss-based frames (i.e. those describing the loss due to non-compliance) within phishing contexts. In addition, few studies have accounted for individual differences in investigating effectiveness of persuasion techniques in phishing context. In this paper, we explore the research questions: (1) How do gain- and loss-based frames in phishing messages affect recipients detection accuracy? (2) How do the gain- and loss-based frames affect detection accuracy across gender? This research is useful because it can inform the design of effective countermeasures for detecting and blocking phishing messages.

Paper 12: Risk of Data Breaches in Financial Institutions: A Routine Activity Perspective

Jae Ung Lee, Jingguo Wang, Melchor de Guzman, Korni S. Kumar, Manish Gupta, H. Raghav Rao

Data breaches by insiders in financial institutions have produced some of the most extensive damage that disrupt an organization's operations. Organizations' ability to identify and assess such risks in their operational environment is critical in development and implementation of prevention and mitigation strategies that would address potential threats from insiders. Applying Routine Activity Theory (RAT), this paper develops a risk assessment model for examining the factors employees' perception of risks regarding the breaches of sensitive data in their organizations. This paper empirically examines the characteristics of motivated offenders, suitable targets, and the influences of capable guardianship. A sample of employees in financial institutions in the United States were surveyed. Our analyses show that perceptions of value, inertia, and accessibility of targeted sensitive data along with presence of guardians have an impact on assessment of risk about data breaches in financial institutions. Moreover, the amount of information (both online and offline) available regarding the data influence the relationship between value of the sensitive data and suitability for data breach. Theoretical and practical implications are discussed.

Paper 13: Can Peers Help You Comply with Information Security Policies?

Adel Yazdanmehr, Jingguo Wang

How to motivate employees to comply with information security policies (ISP) is one of the main challenges that organizations face today. Peer monitoring is a voluntary behavior through which employees notice and respond to their peers ISP noncompliance. This early stage paper explores whether peer monitoring is an effective control mechanism in motivating employees to comply with the ISP. We propose that peer monitoring can motivate group members to comply with the ISP and such an effect is mediated by affective commitment to the ISP and perceived deterrence. We discuss the theoretical contributions and practical implications.

Paper 14: The Role of Abusive Supervision and Reactive Computer Abuse: A Multi-Level Analysis

Carol Hsu, Xin Luo, Feng Xu, Merrill Warkentin

Research has shown that organizational factors may contribute to the formation of computer abuse intentions and behaviors. The perception of organizational injustice has been identified in extant research as a motivation for employees to engage in deviant behavior in the context of computer security policy violations. But what factors contribute to these perceptions. We explore the role of abusive supervision in this process. We and present a theoretical foundation for this investigation and an empirical design for exploring this research question. Following feedback from reviewers, we will refine our research design and collect data, the results of which will be presented at the workshop in October.

Paper 15: Understanding Privacy-Related Decisions Through Individuals' Neural Disposition: A Neuroscience Study

Gurvirender P. S. Tejay, Zareef Mohammed

Despite individuals expressing concerns for the privacy of their personal information, they continue to disclose it for the benefits provided by technologies. This phenomenon of contradictory privacy-related decisions is referred to as the privacy paradox. We investigate the privacy paradox to better understand individuals' decisions to withhold or disclose personal information. We argue that individuals would disclose personal information based on their neural disposition, which includes the momentary rational and emotional mental processes before conscious thought is formed. We applied the findings of cognitive neuroscience to the extended privacy calculus model, and evaluated it using three within-subjects EEG experiments. Our findings indicate that individuals' privacy-related decisions tap into executive and emotional areas of the brain, which involves assessments of risks and rewards, as well as emotional regulation.

Paper 16: Examining Interdependent Information Disclosure on Social Networking Sites

Yaqoub Alsarkal, Nan Zhang, Xeng Xu

The highly interactive nature of interpersonal communication on online social networks (OSNs) impels us to think about privacy as a communal matter, with users' private information being revealed by not only their own voluntary disclosures, but also the activities of their social ties. The current privacy literature has identified two types of information disclosures in OSNs: self-disclosure, i.e., the disclosure of an OSN user's private information by him/herself; and co-disclosure, i.e., the disclosure of the user's private information by other users. Although co-disclosure has been increasingly identified as a new source of privacy threat inherent to the OSN context, few systematic attempts have been made to provide a framework for understanding the commonalities and distinctions between self- vs. co- disclosure, especially pertaining to different types of private information. To address this gap, this paper presents a data-driven study that builds upon an innovative measurement for quantifying the extent to which others' co-disclosure could lead to actual privacy harm. The results demonstrate the significant harms caused by co-disclosure and illustrate the interesting differences between the identity elements revealed through self- and co-disclosure.

Paper 17: Context-Aware Secure Information System Design: A Socio-Technical Approach

Gurvirender P. S. Tejay, Abdulrahim Charif

The security of information systems is a key concern for organizations. If information systems design does not ensure system security, the organization will face a higher risk of threats. The current secure system design methodologies claiming to address both technical and socio-technical aspects of the organization have no empirical evidence that these methods are applicable and provide practical effectiveness. Consequently, there is a need for a secure information system design method that is comprehensive and empirically evaluated for its effectiveness in an organization. Accordingly, we propose contextual secure information system design (CSIS) based on a design kernel theory. Organization based access control concepts are used to construct the proposed meta-design model. We then validate the CSIS model by applying the meta-design rules to construct a secure information system. We followed action research in the study to evaluate whether CSIS achieved positive result and was practical to deploy. The intervention suggests that CSIS is capable of identifying areas of high threat risks where there needs to be additional security focus in implementation. The findings of this study offer new insights in secure IS design.

Paper 18: Impact of Monetary Value Gains and Losses on Computer Security Behavior of Users

Fiona Fui-Hoon Nah, Maggie Cheng, Samuel N. Smith, Santhosh Kumar Ravindran

This research examines users' computer security risk-taking behavior when presenting with monetary value gain and loss scenarios for their action. Based on Utility Theory, we hypothesize that users are more willing to engage in risky computer security actions when presented with the possibility of receiving a monetary value gain or avoiding a monetary value loss. Based on Prospect Theory, we hypothesize that users are more willing to engage in risky computer security actions to avoid losing monetary value as compared to gaining monetary value. An experimental study was proposed to test the hypotheses.