The 2019 Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.11/WG11.13

Program chairs: Anat Hovav, Gurvirender Tejay, Rui 'Ray' Chen

Conference Proceedings

Proceedings Editor: Anthony Vance

Note: For access to proceedings articles, please use username and password

Download all papers here.

Paper 1: Factors influencing compliance with newly implemented information security policies

Jacques Ophoff and Mark Regensberg

As the value and risk associated with stored personal and financial information increases, information security has become an increasingly important focus for hotel owners and operators. Insider threat has become a key management issue, with employee adherence to information security policies considered by many researchers to present a critical challenge to organizations. To identify potential solutions to address this challenge, this research explores factors that contribute to information security policy compliance in a hotel environment, using the Control-Reactance Compliance Model. 156 employees of a national hotel group took part in a cross-sectional, survey-based study. Partial Least Squares Structured Equation Modelling (PLS-SEM) was used to analyze the reflective model for causal relationships between variables, with hotel specific covariates introduced to allow for multi- group analysis. The research provides practical insight into how aspects of both control theory and reactance theory affect information security policy compliance in hotel and above-property environments. There is support for the Control-Reactance Compliance Model in the hotel environment, with aspects of both control theory and reactance theory supported through statistically significant correlations with participants' intention to comply with information security policies. This research provides practical insight into how both the manner and method of communication of information security policies may impact an employee's intention to comply and highlights the significant influence of employee commitment to organizational change. While PLS-SEM has been widely used in behavioral information security research, this research is the first, as far as the authors are aware, to specifically consider the hotel environment. Additionally, the research establishes the generalizability of the Control-Reactance Compliance Model across different demographic and organizational contexts.

Paper 2: The Dynamics of Information Security Policy Adoption

Ali Yayla and Sumantra Sarkar

Achieving organization-wide information security partially depends on the success of the adoption of information security policies (ISPs). However, most organizations symbolically adopt these policies, which leads to low compliance behavior and increased security risk. In this paper, we aim to answer two important questions: Why do organizations symbolically adopt ISPs?, and how can organizations successfully adopt ISPs?. The preliminary analysis of semi-structured interviews of executives revealed that organizations fail to integrate ISPs to their existing organization structure and routines until there is an external trigger such as a security breach. Organizations react to the sudden and external nature of these jolts by making efforts to integrate ISP into their business processes. During this reaction period, because security takes precedence over business, ISPs lose their internal legitimacy. We argue that most organizations symbolically adopt ISPs because they fail to internalize these policies. We propose that organizations need to proactively integrate ISPs to their business processes with the aim of internal legitimization in the eyes of the organizational members.

Paper 3: Politeness in Security: Insights in Browser Compliance

Deanna House and Gabe Giordano

This research explores the effects that (im)politeness has on intention to comply to security directives. The research utilized an experiment that focused on secure browser setting directives across varying types of media richness. The subjects were randomly assigned to receive communications/directives that were text-based, text/image-based, or video based. The communications were also grouped into polite and impolite messaging. The results indicate that there was a significant difference between the polite and impolite groups with support for the overall model/hypotheses. However, when exploring further, the impolite groups were not supported, with no significant relationships. Additionally, those that received video-based communications had a stronger (and significant) intention to comply.

Paper 4: Improving Cybersecurity Learning: An Integration of Cyber Offense and Cyber Defense

Hwee-Joo Kam, Xin Luo and Yanyan Shang

The critical shortage of cybersecurity talent urged the President of the United States to issue the Executive Order 13800 to bolster cybersecurity workforce. Unfortunately, higher education fails to cultivate cybersecurity talent that organizations are looking for. As a result, organizations have to invest their resources to provide on the job training to their employees. To enhance the quality of cybersecurity education, this study investigates how the learning of both cyber offense and cyber defense helps individuals to gain a more thorough understanding in cybersecurity concepts. Built on Activity Theory, this study examines individuals' cognitive learning in cybersecurity. Our key findings discover that cyber offense learning cultivates effective thinking, but cyber defense engages individuals in system thinking. We then suggest the research implications accordingly.

Paper 5: Identifying factors of Information Security Culture: An Exploratory Study

Gurvirender Tejay and Zareef Mohammed

The continuous information security failures in organizations have led focus towards organizational culture. It is argued that the development of culture of information security would subsequently lead to a secure organization. However, limited studies have been conducted to understand information security culture. In order to cultivate a culture of information security, it is imperative to develop methods that would allow some manner of assessment. In this research study, we follow survey research method to identify factors of information security culture in an organization and develop an instrument using exploratory factor analysis. The underlying theory is Hall's (1959) primary message systems. The data was collected from 300 participants from southeast United States. Our findings indicate that group cohesiveness, professional code, information security awareness, work practices, planning and empowerment are important factors of information security culture.

Paper 6: Managerial Computer Abuse Behavior and Evaluation of Security Threats

Laura Amo, Laurie Giddens and Dianna Cichocki

With regard to computer abuse, the term "malicious insider" tends to be associated with male employees, likely because men commit more crimes relative to women. However, empirical studies of computer abuse do not consistently find gender differences and some case study research has found equal rates of men and women engaging in deviant technology behavior. To gain a better understanding of gender differences in computer abuse, we explore whether gender differences appear among executive employees and whether these employees demonstrate bias in decision-making based on subordinate employee gender. We distributed a survey to 53 executives with graduate-level education, and collected data on demographics and computer abuse behavior. In the survey, we randomly assigned participants to an "employee gender" condition, such that 28 participants read a scenario where the offender is female and 25 read a scenario where the offender is male. The scenarios were identical with the exception of the gender pronouns, and participants were asked to evaluate the intent and harm posed by the employee. Our results suggest that male executives engage in more computer abuse relative to female executives. Furthermore, executives' perceptions of malicious intent but not harm are systematically different according to the gender of the subordinate employee; specifically, executives characterize security misbehavior by males as significantly more malicious relative to that by females. These findings suggest that gender biases may play a role in howmanagersperceiveemployeesecuritybehavior.

Paper 7: Insiders' Moral Ought Forces and Information Security Policy Compliance: An Introduction to Deonance Theory

Clay Posey, Rebecca Bennett and Robert Folger

Within the field of organizational cybersecurity, much attention has been given to insider compliance and non-compliance with the information security policies (ISPs) set forth by their organizations. Most of these efforts apply theoretical foundations based on self-interest, personal incentive, and cost-benefit calculations to explain compliance and non-compliance motives. We take a different approach to understand insiders' ISP compliance by discussing how these individuals' field of ought forces' (i.e., perceptions of moral obligations) guide compliance intentions and behavior. In this research-in-progress submission, we discuss how Deonance Theory (Folger 2001; Folger 2012) can be applied to shed additional light on insiders' compliance with organizational ISPs when those ISPs place increased restrictions on what the insider must or must not do.

Paper 8: Relationship Between the Pathological Traits and Different Types of Malicious Attacks

Nan Liang and Andrew Schwarz

Employees' security policy violations continue to pose a great threat to the organization. With their knowledge about organizational security countermeasures as well as valuable organizational resources, employees could launch an attack towards the organization much easier than an outsider could and cause more devastating consequences. However, current research about security policy violations do not differentiate the expressive and instrumental motivations of the violations. This might render the deterrence measures ineffective. Also, existing studies use personality disorders to profile violators; however, these DSM defined disorders are designed for clinical use more than academic inquiries. Therefore, in this study we utilize the trait model of personality disorder to investigate different characteristics exhibited by individuals conduct different types of security policy violation.

Paper 9: Measuring the Onlooker Effect in Information Security Violations

Sahar Farshadkhah

The average total cost of a security violation in the United States grew to almost $8 million in 2018. Still, current employees are the top source of security incidents. Many insider threats to cybersecurity are not malicious but are intentional. Many organizations have well-delineated policies intended to guide insiders' cybersecurity-related behaviors. However, the effectiveness of these policies is questionable. Many behavioral cybersecurity research projects investigate factors that influence mitigating information security violation but still there is a need to have a better understanding of behavioral factors. One of these factors is perception of being overseen by onlookers who are organization members to whom one's security policy violations are visible, but who are not directly involved in the behavior. The practical effect of onlookers will be the adjustment in one's security compliance behaviors in response to the perceived presence of onlookers and their perceived inferences, judgments, or reactions.

Paper 10: Insider Threat Mitigation: An Examination of Discouraging Deviant Behavior

Tripti Singh, Andrew Miller, Allen Johnston and Merrill Warkentin

This work identifies effective strategies that organizations can employ to prevent insider threats from materializing. The specific categories of prevention techniques included in this research are: effort, risk, rewards, provocation and excuse. This paper uses the Theory of Situational Crime Prevention (SCP) (Clarke, 1980) as the primary theoretical lens. In addition, the organizational mindfulness of organizations is studied to provide an understanding of the role this plays in the strategies used to mitigate insider threats.

Paper 11: Distinguishing the Difference: Critical Warnings and Non-essential Notifications

Brock Kirwan, David Eargle, Bonnie Anderson, Jeff Jenkins and Anthony Vance

This paper investigates how habituation to frequent non-essential software notifications may carry over to infrequent critical security warnings. This general process known as simply generalization is a well-established phenomenon in neurobiology that has clear implications for information security. Because software user interface guidelines call for visual consistency, software notifications and security warnings have a similar look and feel. Consequently, through frequent exposure to notifications, people may become habituated to critical security warnings they have never seen before. The objective of this paper to propose an fMRI experimental design to measure the extent to which this occurs. We also propose testing security warning designs that are resistant to generalization of habituation effects.

Paper 12: Understanding the Persuasiveness of Information Security Messages for Employees' Information Security Decision Making: An Investigation of Elaboration Likelihood Model and Herd Behavior

Feng Xu and Merrill Warkentin

Determining how to design persuasive information security messages in order to increase employees' engagement in recommended information security protective behaviors is an important organizational objective. Information security messages that are argument-based have been shown to effectively elicit desired security behaviors. The mechanism by which cue-based information security messages persuade employees to engage in information security protective behavior is not clear. This paper applies the lenses of the elaboration likelihood model (ELM) and herd theory to explain how popularity cues trigger herd behavior and subsequently influence employees' security protective behavior. In addition, this paper examines the moderation effects of security relevance and security expertise on the relationship between security argument quality, popularity cues, discounting own information, and imitating others. We will conduct a 2x2 factorial experiment to determine the impact of security argument quality and popularity cues on herd mentality and subsequent security protective behavioral intention. The results have implications for designing effective information security messages for organizational information security management programs.

Paper 13: Constructive Deception in the Workplace and Beyond: A Defensive Social Engineering Approach

Yaojie Li and Xin Luo

The bright side of deception has been neglected in behavioral information security research, due to a lack of adequately understanding the nature and mechanism of deception in employees' organizational and social life. The current study conceptualizes a novel form of prosocial organizational behavior beyond the cyberspace Ð constructive deception, which can be deployed to protect organizational information systems, by delaying and diverting potential threats and attacks in the work and social spaces. Based on a deception triad, a typology of constructive deception is developed to provide practical guidance for prosocial deceivers, aiming at prospering strategic deceptions while relieving tension between prosocial deceivers and deceivees. Furthermore, a theoretical framework is proposed to illuminate the nature, motives, and mechanism of constructive deception.

Paper 14: Modeling Inertia Causatives

Karen Renaud and Jacques Ophoff

Cyber criminals are benefiting from the fact that people do not take the required precautions to protect their devices and communications. It is the equivalent of leaving their home's front door unlocked and unguarded, something no one would do. Many efforts are made by governments and other bodies to raise awareness, but this often seems to fall on deaf ears. People seem to resist changing their existing cyber security practices: they demonstrate inertia. Here, we propose a model and instrument for investigating the factors that contribute towards this phenomenon.

Paper 15: GDPR Fitness Assessment for Digital Payment Systems' (DPS) Privacy Policies: A Study of Mobile Wallet and Remittance Services

Oluwafemi Akanfe, Rohit Valecha and H. Raghav Rao

With the growth in Internet usage, the use of digital payment systems has been on the rise. However, with the recent data breaches resulting from companies' technology security flaws, the concern for data privacy has increased. As such, several nations require digital payment platforms to publish privacy policies containing important requirements. But because the privacy policies are written independently by different digital payment companies, there are often inconsistencies in the privacy policies content. In this study, we explore the topic distributions of privacy policies published by DPS providers, and adequacies of these policies in addressing issues concerning data protection, in accordance with the provisions of GDPR. To address this, we extracted ten core dimensions of data privacy protection standard from GDPR and developed an emphasis-density index for privacy policies. The paper contributes to the digital payment and privacy policy regulations literature as it comparatively analyzes privacy policies based on the prevalence of essential clauses touching the dimensions of GDPR provisions.

Paper 16: Browser-based cryptocurrency mining as an alternative to online advertising: A view from the security vs. privacy perspective

Ali Alper Yayla and Ersin Dincelli

Online advertising has been the cornerstone of the Internet economy. However, recently, the increased levels of user tracking on websites lead to privacy-related concerns. In this study, we propose browser- based cryptocurrency mining (BCM) as an alternative revenue source to online advertising. BCM is a method of cryptocurrency mining that is implemented on a website by the provider and designed to use visitors' computer resources to mine cryptocurrency while they are on the website However, as an emerging technology, uncertainty and perceived security concerns associated with BCM is limiting its widespread adoption. Guided by principal-agent theory and uncertainty reduction theory, our proposed model introduces (1) technology-based and provider-based uncertainty sources as inhibitors of intention to use BCM and (2) a number of technology and provider characteristics as means of uncertainty reduction. Moreover, our study illustrates the tension between privacy concerns of one technology and security concerns of a competing technology. This study has the potential to provide a more granular understanding of technology adoption; in particular, adoption and the continued use of BCM. The results can reveal important factors that the industry needs to focus for the wide adoption of BCM as an alternative revenue source for websites.

Paper 17: Toward Understanding the Dynamic Nature of Privacy Trade-offs

Shan Xiao and Ali Vedadi

It's commonly accepted that information privacy has become a major concern for various sectors. Numerous users are anxious about the ambiguity of data collection, control, and awareness of privacy practices. However, the users may continue using the service or product despite the high level of privacy concerns. IS researchers have investigated this phenomenon through diverse approaches; however, most findings are based on cross-sectional data. Few studies have addressed the long-term nature of IS continuance by virtue of dynamic privacy-related beliefs. In particular, it remains unclear how these beliefs change from initial adoption to the post-adoption phase. This paper attempts to examine the dynamic nature of beliefs on IS continuance use in a privacy context. A research model is proposed in terms of privacy calculus and another two salient constructs in prior literature, including perceived risk, perceived benefit, privacy concerns, and trust. To capture belief change, a promising experiment is designed to collect data from college students. The findings may offer new insight into understanding how people change their beliefs and adoption behaviors over time.

Paper 18: Meta-Ethnography of Information Security Policies

Richard Baskerville and Mala Kaul

This research aims to develop a summative analysis of information security policies that have been made publicly available on the Internet. Because these documents are qualitative in nature, this analysis will adopt meta-ethnography, a specific form of hermeneutic analysis that treats each different kind of policy component as representative of different kinds of organizational subculture: technical cultures, management cultures, operational cultures, etc. The purpose of the study is to identify and delineate different categories of information security policy components and to characterize the organizational subcultures that produced them, resulting in a meta-synthesis of information security policies. In this report we describe the structure of our research and report on the initial phases of the meta-ethnography.

Paper 19: Information Security Compliance Worldwide, a Cross-Cultural Study: The Entangled Paradox of Culture and Values

Carlos Torres and Robert Crossler

Despite substantial evidence on the different approaches to secure behaviors by people from different nationalities, cross-cultural comparisons, have relatively been unexplored in Information Security research. While extant research in psychology has found empirical evidence of the significant differences between the values held by people from different countries and its relation to behavior, personal values have not been adequately included as a predictor of secure behaviors in Information Security research. This paper, as part of an ongoing study, theoretically enhances the Unified Model of Information Security Policy Compliance—UMISPC—by drawing on Schwartz's universal theory of personal value types, and by doing so providing an opportunity for cross-cultural comparison. The expected results of this in-progress project, hope to identify values that characterize people from different countries tendencies towards security policy compliance, allowing a better understanding of the motivators of secure behaviors in organizations.

Paper 20: A Social Material Perspective on the Cyber Security Literature

Craig Van Slyke, Michele Maasberg, and France Belanger

For some time, we have been aware of the sociomaterial nature of information technology use in organizations. As Orlikowski and others have pointed out, the social and material are constitutively entangled, "there is no social that is not also material, and no material that is not also social" (Orlikowski 2007, p. 1437). In other words, the social and the material are inseparable parts of a whole, rather than independent entities that dynamically interact.