The 2018 Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.11/WG11.13

Program chairs: Kennedy Njenga, Stephen Flowerday, Irwin Brown

Conference Proceedings

Proceedings Editor: Anthony Vance

Download all papers here.

Paper 1: Detecting Privacy Concerns Through Users' Human-Computer Interaction (HCI) Dynamics

Jeffrey L. Jenkins, Parker A. Williams, Joseph S. Valacich and Michael D. Byrd

Privacy concerns are a major deterrent in many online interactions. Detecting when an end-user has privacy concerns; however, is very difficult. Typically, organizations only know of a user's privacy concerns after it is too late; e.g., after a user refuses to provide information or participate in a service. To address this concern, we propose research to detect when users have privacy concerns simply by monitoring how a user interacts with a website using the computer mouse, keyboard, touchscreen or touchpad--a collection of behaviors termed as Human-Computer Interaction (HCI) Dynamics. We propose that users will exhibit more cognitive conflict in their HCI Dynamics when they have privacy concerns that are inhibiting an interaction. We explore this proposition by reporting on two studies--a laboratory experiment and a large-scale field study with 20,000 real users--exploring the influence of privacy concerns on HCI Dynamics. Our results suggest that early-indicators of privacy concerns can be detected before the user terminates the interaction by monitoring users' HCI dynamics. This methodology can potentially be deployed within real-time interactions, and thus be used to trigger interventions (e.g., privacy assurances) to decrease privacy concerns and thereby prolong user interactions.

Paper 2: Developing Organization-Specific Information Security Policies by Using Critical Thinking

Hanna Kinnunen and Mikko Siponen

Information security policies (ISP) can be seen as a collection of rules, principles, or guidelines that steer the information security actions in organizations. The literature on ISP development discusses ISP from three viewpoints--content, method, and context--which together form the basis of an organization-specific ISP development method. However, previous approaches do not combine these dimensions on a practical level. This article applies Hare's (1981) theory of critical thinking in a method to support the decision-making needed in ISP development. A list of critical considerations for the ISP development process was created and applied in an action research project. The objective of informed decision-making was realized by creating a method that systematically gathers knowledge of the target organization before selecting rules for it. Supporting critical thinking in the ISP development process resulted in an organization-specific policy.

Paper 3: Examining the Recovery and Competitive Advantage After Organizations' Data Breaches: Drawing Insights from the Neo- Institutional Theory and the Dynamic Capabilities Framework

Nithya Shankar and Zareef A. Mohammed

Many organizations suffer data breaches due to poor privacy and security practices. However, despite the negative backlash these organizations face, especially from consumers, these organizations still survive. This paper investigates this phenomenon of the change in organizations' practices after a data breach. We argue that organizations reform their practices pertaining to how PII is handled by both external forces, as well as internal re-evaluation of PII as a resource. Our theoretical framework, developed from the Neo-Institutional and Dynamic Capabilities theories, is used to examine three organizations that suffered data breaches using a multiple case study approach. The organizations studied are Target, Anthem, and Equifax. Despite being a preliminary study, our findings indicate that organizations' practices after a data breach are influenced by isomorphic forces to recover. Additionally, in the cases of both Target and Anthem, we observe that their practices concerning consumers' personally identifiable information (PII) may be influenced by changing their view of PII as a mere resource for day-to-day operations into an asset necessary for the survivability of their organizations.

Paper 4: A Theory of Deceptive Cybersecurity

Richard Baskerville and Pengcheng Wang

This paper describes a framework for evaluating the specific application of deceptive cybersecurity devices in particular design settings. There is an innate asymmetry in the relationship between the advantages of an attacker and the disadvantages of the defender. The essential goal of cybersecurity is to increase the security of local information and information systems. One way of achieving this goal can be by increasing the amount of work required on the part of an attacker while decreasing the amount of work on the part of the defender. New cybersecurity devices based on deceptive technologies aim to achieve this adjustment to the asymmetry. The framework embodies a theory that explains the principles that deceptive cybersecurity aims to achieve. Using probability of compromise as an indicator of the amount of work required on the part of an attacker, we evaluate the underlying mechanism of deceptive cybersecurity. The degree of security provided by deceptive cybersecurity to a network cannot be evaluated only by considering the cybersecurity alone. Intruder characteristics must be included in the evaluation system, and by modeling their behavior and incentives, we can derive further qualitative and quantitative characteristics that help to objectively evaluate the effectiveness of deceptive cybersecurity configurations and devices.

Paper 5: Are 21st-Century Citizens Grieving for Their Loss of Privacy?

Gregory J. Bott and Karen Renaud

Although much research exists that examines cognitive events leading up to information disclosure, such as risk-benefit analysis and state-based and trait-based attributes, minimal research exists that examines user responses after a direct or indirect breach of privacy. The present study examines 1,004 consumer responses to two different high-profile privacy breaches using sentiment analysis. Our findings indicate that individuals who experience an actual or surrogate privacy breach exhibit similar emotional responses, and that the pattern of responses resembles well-known reactions to other losses. Specifically, we present evidence that users contemplating evidence of a privacy invasion experience and communicate very similar responses as individuals who have lost loved ones, gone through a divorce or who face impending death because of a terminal illness. These responses parallel behavior associated with the Kuebler-Ross's five stages of grief.

Paper 6: Can Blockchains and REA Smart Contracts Address Certain Cybersecurity Issues

Graham Gal and William E. McCarthy

This paper examines REA Smart contracts. Currently the blockchain is a technology for immutable records of cryptocurrency transactions. Smart contracts, which exchange digital assets depending on predetermined conditions extend blockchains from a simple record of what has happened to a record of what can happen in the future. When contracts are extended to more complete records of potential actions, other concepts need to be included. The REA ontology provides a more complete representation of potential components of a contract by connecting the contract's commitments to types of resources, types of events, and types of agents. By assembling a digital identity for individuals the provenance of their activities and capabilities also becomes part of an immutable record. While a digital identity could provide a degree of anonymity the inclusion of other information in the identity makes copying a portion of this identity for other purposes more difficult. With the identity including an assembly of all aspects of the person in a single identity, uses of the identity could be required to prove knowledge of some non-disclosed components. There is always an issue of privacy with technological advances. Blockchains have certain benefits when applied to supply chains. REA contracts can certainly make this possible.

Paper 7: Do Personality Traits and Information Ownership Influence Individuals' Security Behaviors?

Graham Gal, Daniel Jones, and Jessica Rose Carre

Individual computer security behaviors are critical to the overall success of cybersecurity efforts. To encourage employees to follow firm's information security policies, research suggests that threats or sanctions have only mixed success. Firms have also instituted various training and audit practices in an attempt to increase adherence to policies. While training might increase adherence to approved policies a single point of failure can thwart even the best infosec organization. Still other research has suggested actions within the firm to make employees feel a sense of ownership in the organization. While individual computer usage outside the firm is beyond the purview of corporate policies, their actions can still have a profound impact on the overall technical infrastructure. There is some evidence that individuals may not be aware of appropriate security actions, and without process and policies enumerated by the firm their ability to take appropriate choices are diminished. Results from different research suggest individuals would have differential motivation to protect corporate versus individual information. For instance, externally motivated individuals may respond better to threats. Other studies have shown lower level employees need more motivation to protect firm data. In this study we examine the Dark Triad three personality traits, psychopathy, narcissism, and Machiavellianism, and their propensity to take steps to secure personal versus corporate information. As an example, previous research has shown that psychopaths and more likely to feel justified in putting resources of individuals in jeopardy. This research should inform firms as they develop security policies and monitor adherence to those policies. The results could also be used to develop tools for individuals to use to protect their personal information.

Paper 8: The Development of a Personality-driven Social Media Dataveillance Behaviour Model for South Africa

Karl van der Schyff and Stephen V. Flowerday

In this concept paper the researchers propose a set of constructs in order to evaluate the behaviour of South African social media users towards the extent that their personal information is used through social media dataveillance. Previous research has not adequately addressed Social Media Dataveillance (SMD) within an emerging economy, such as South Africa. As such, the proposed study aims to address this knowledge gap by using a mixed methods approach consisting of both expert interviews and a survey.

Paper 9: Publicitas of Digital Lives: A Concept Paper

Richard Baskerville, Mala Kaul, and Veda Storey

In studies of information systems security, we routinely struggle with the tension between an individual's privacy and their online activities. In this short position paper, we introduce the notion of digital publicitas as a concept that is the opposite of digital privacy. The term publicitas, in its Latin sense, is an obsolete definition of publicity: 'The quality of being public; the condition or fact of being open to public observation or knowledge' (Oxford English Dictionary 2018). We, employ this term to purposefully designate a state opposite to privacy. Since the inherent nature of online activities is indeed, in opposition to privacy, it is, therefore, useful to examine the naturally characteristic digital publicitas of online activities, rather than privacy.

Paper 10: Examining Usable Privacy Statements Through the Eyes of the Individual

Zareef A. Mohammed and Nithya Shankar

The aim of this study is to investigate the interaction between individuals and usable privacy statements. We aim to focus on the individual's perceptions rather than solely on design principles for privacy statements. This leads to the use of information processing theory as a lens to test the objective of this study. We propose the use of NeuroIS tools and techniques to answer the objective of our paper.

Paper 11: Priming to Elicit Protection Motivated Behaviors: Preliminary Results

Philip Menard, Merrill Warkentin, Alan R. Dennis, Allen C. Johnston and Randall K. Minas

Security Education, Training, and Awareness (SETA) programs have long been used to persuade computer users to comply with security policies and engage in behaviors that will protect their information resources from security threats. SETA messages often include statements designed to influence recipients' appraisal of a threat and of the recommended response to the threat. However, these messages only trigger an effective response if users cognitively process the statements in the message. Should SETA messages emphasize the potential harm from the threat or the safety provided by the response? Do users respond differently if they if they are in a threat mindset or a safety mindset? To explore strategies and techniques to improve the effectiveness of these messages, we tested the impact of priming interventions to explore factors that may influence the extent to which a user cognitively processes the message. We conducted a survey-based experiment to assess the relative impact of threat prime manipulations and safety prime manipulations on the message recipients' perceptions of threat appraisal and coping appraisal factors and on intention to adopt the recommended information security threat response. We interpret these preliminary results through the theoretical lenses of protection motivation theory (PMT) in the context of information security behaviors.

Paper 12: Comprehending Comprehension of Security Warnings: Insights from Eye Tracking, fMRI, and Behavior

Anthony Vance, Jeffrey L. Jenkins, Bonnie Brinton Anderson, Daniel K. Bjornn and C. Brock Kirwan

Security warnings are critical to help users make contextual security decisions. Unfortunately, users often find these warnings hard to understand, and they routinely expose themselves to unintended risks as a result. Although it is straightforward to determine when users fail to understand a warning, it is more difficult to pinpoint why this happens. The goal of this research is to use eye tracking and functional magnetic resonance imaging (fMRI) to step through the building blocks of comprehension--attention, semantics, syntax, and pragmatics--for SSL and other common security warnings. Through this process, we will identify ways to design security warnings to be more easily understood.

Paper 13: Influence of National Culture on Employees' Intention to Violate Information Systems Security Policies: A National Culture and Rational Choice Theory Perspective

Tilahun Muluneh Arage

The security of information systems has become one of the top agendas of business executives in economically developed nations. While the information systems security (ISS) world focuses on threats of external origin, most ISS breaches are caused by insiders. Both the amount of money allocated for ISS related activities and the number of ISS breaches are shown to increase in parallel. A majority of the investments and researches around ISS are limited to bring technically oriented solutions only. It is now realized that the technical approach alone couldn't bring the required level of ISS, and this led ISS researchers to embark on socio-technical approaches. In this respect, one of the critical social factors that has been given little emphasis is culture. Thus, this research investigates the impact of national culture on employees' ISS behavior. More specifically, it answers the question what is the moderating impact of national culture on the influence of ISS countermeasures and other important variables on employees' intention to violate ISS policies?" We develop and test an empirical ISS compliance model, which is composed of security related rational choice theory and national culture constructs in the Ethiopian and USA context. Survey will be used to collect data.

Paper 14: Information Security Policy Violations: A Grounded Theory Approach to Counterfactual Balance and Tensions

Kennedy Njenga and Paul Benjamin Lowry

Research shows that employees seldom follow recommended information security policies regardless of their awareness levels. The focus of this study is to examine the causes of violations and to generate unique insights that places heavy emphasis on 'intent' of violations rather than 'effect'. For such reason, the work employs a qualitative Grounded Theory approach. The use of Grounded Theory in this work presents insightful behavioral features in a selected institution and generates a substantive theory of intent. Specific reference is placed on identifying counterfactual balances of norms, commitment and attachment that give rise to tension outcomes; namely, relational imbalance, unstable disposition, and lack of cognitive consonance. Our model proposes that counterfactual balance that leads to these three tensions will most likely result in IS policy violations. The implications for this model are discussed within the main body of this work.

Paper 15: Embedding Business Continuity Management Practices: A Normalisation Process Theory Perspective

Ilse Van Beulen and Irwin Brown

There are a number of limitations evident in the BCM literature, and in prescriptive practices regarding BCM. Most of these limitations result from the relative immaturity of the research field and the very contemporary nature of BCM. The current concerns within BCM are: 1) the lack of a description of how BCM methodologies should be implemented; 2) the absence of implementation guidelines for BCM 3) the incapability of translating BCM into tangible working constructs for organisations; and 4) the lack of a proficient framework or model which focusses on organisational culture issues for successful BCM implementation. There are also limited efficient models for a successful implementation of BCM, given that many organisations have little or no continuity planning experience, and lack disaster recovery skill. Normalization Process Theory (NPT) addresses the social organisation of the work (implementation).