The 2020 Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.11/WG11.13

Program chairs: Mala Kaul, Mark J Keith, Yuan Li

Conference Proceedings

Proceedings Editor: Anthony Vance

Download all papers here.

Paper 1: Life Versus Livelihood: User Privacy During COVID-19 Virus Communication

Paras Bhatt, Naga Vemprala, Rohit Valecha and Hejamadi Raghav Rao

Twitter has been one of the commonly used means of communication for connecting people. Twitterers actively share tweets which include details about their activities and the location of the users. However, in the case of COVID-19, , questions are raised about communication monitoring of virus spreading hotspot locations and the transmission of alarming messages about virtual assistants powered by artificial intelligence, violating privacy resulting in a spiraling financial loss over social media. Considering the prevalence of debates on Health vs. Economy issues, the discussion of privacy concerns around these topics require a closer study. Using tweets collected during the outbreak, we conduct exploratory research and find a herd activity about privacy messages.

Paper 2: Accepting Privacy Scheme in the Presence of Consumer Privacy Fatalism: The Elaboration Likelihood Model and Fear Appeals

Bright Frimpong, Emmanuel W. Ayaburi, Francis Kofi Andoh-Baidoo and Jae Ung Lee

A major concern with privacy is consumer privacy fatalism, or the belief that the consumers believe they have little control over their privacy online. Based on the elaboration likelihood model (ELM) and fear appeals, the study proproses an integrated model that seeks to reduce consumer privacy fatalism and subsequently, influences consumer decision to opt-in for a privacy scheme. The study will use an online experimental vignette to investigate the research problem. The study will contribute to unraveling the relationship between fatalistic views and privacy precautionary behaviors and unveil the boundary conditions of ELM and fear appeals in the context of fatalistic attitude change. Furthermore, the findings will help inform the decision to promote opt-in or opt-out as privacy experts push to empower consumers.

Paper 3: The Technological Panopticon: Electronic Monitoring and Surveillance within the Workplace: Employee Turbulence through Perceptions of Privacy Infringement

Charlie Hinde and Jacques Ophoff

As organizations work towards securing their digital assets and intellectual property from external threats, so the latest information security reports indicate that the biggest threat remains from inside. The insider threat has become one of the biggest exploitable vulnerability's corporates face as a level of trust is placed in their staff, or authenticated users, on their network, to ensure corporate objectives and goals are achieved. While monitoring and surveillance in the workplace are considered symbiotic and go hand in hand as part of the employee relationship, the advancement in technological capability for electronic monitoring and surveillance (EMS) has escalated to such a degree that all aspects of an employee's workplace routine can be recorded. This research-in-progress paper hopes to utilize the communication privacy management (CPM) theory to understand if increasing levels of EMS in the workplace affect employees' perception of privacy infringement.

Paper 4: A Contingent Model of How Fear of External Security Threats Sparks Insiders: Proactive Information Security Behaviors

Feng Xu, Carol Hsu, Xin Robert Luo and Merrill Warkentin

The experience of fear of external security threats has been considered to be generally associated with organizational insiders' protection motivation and behaviors. The most important theoretical foundation to explain insiders' behavioral reactions to fear is the Protection Motivation Theory (PMT). Based on PMT, previous information systems (IS) security researchers have identified antecedents of insiders' security-related behaviors, such as security policy compliance and noncompliance and the adoption of protective technologies. However, previous research has largely overlooked the possibility that insiders' experience of fear can lead to proactive information security behaviors (ISB) that are self-initiated and future-oriented. Motivated thus, this study focuses on two proactive ISB (voice and individual innovation) and aims to identify the underlying motivations. Based on Lebel (2017)'s model, this article identifies can-do (emotional regulation knowledge) and reason-to (felt responsibility for constructive change) motivational factors under which fear of external security threats can lead to insiders' proactive security behaviors. This article contributes to PMT and information security behavior research by specifying when and why fear of security threats leads to insiders' proactive ISB. This study provides important practical suggestions for organizations to understand insiders' behavioral reactions to emotional experience of fear of external security threats, resulting in improved organizational security protection.

Paper 5: Using Accountability Theory to Determine How Curiosity Affects Policy Compliance

Philip Menard, Hwee-Joo Kam, Dustin K. Ormond and Robert E. Crossler

Insider abuse is one of the most dangerous issues facing information security professionals due to employees' existing authorization within organizational systems and knowledge of critical data structures housing confidential information. Although prior research has examined ways to mitigate access policy violations through the implementation of accountability artifacts within systems, employees may still be motivated to violate policies due to their innate curiosity about information that has been withheld from their knowledge. In this paper, we discuss how curiosity may impact the previously demonstrated effects of accountability features on intention to violate policies. We propose a factorial survey design to explore the interaction of curiosity and accountability in determining employees' intentions to violate data access policies.

Paper 6: Toward the Development of a Security Culture Model: A Key Proficiencies Perspective

Farkhondeh Hassandoust and Allen C. Johnston

In this research in progress (RIP), we draw on high reliability theory to develop a Security Culture Model that explains how a firm's supportive and practical proficiencies form its organizational security culture. We present initial tests of the model using survey data from 602 professional managers in Australia and New Zealand who are aware of the information security (InfoSec) programs within their respective organizations, the findings of which suggest a security culture is influenced by a firm's practical proficiencies in the form of InfoSec practices namely prevention, detection and response practices. Our findings also emphasize the importance of organizational supportive proficiencies as organizational structure for developing InfoSec practices in a firm. The results of this study provide both academics and practitioners an understanding of the vital organizational dynamics necessary to establish a culture of security.

Paper 7: Toward a Theory of Strained Betrayal

Allen Johnston, Sanjay Goel and Kevin J. Williams

Insider threats can be accidental or deliberate, with completely different underlying behavioral mechanisms. There has been considerable research focused on addressing accidental insider threats that occur through carelessness, apathy, or lack of expertise of individuals; however, little has been done to study insider threats (e.g., data theft) orchestrated by maliciously motivated employees. These malicious acts are forms of betrayal and have potentially devastating consequences to a company and the motivations for these acts of betrayal were not formed in a day, but rather developed over time. In this research in progress, we draw from the general strain theory (GST) and the emotions-centered model of voluntary behavior (ECT) to model the evolution of regular, benign employees to motivated, malicious insiders capable of malicious acts of betrayal. We present a new staged Theory of Strained Betrayal (TSB) that describes the evolution as one that is dependent on the direct influence of a number of external and internal factors, as well as the interactions among them.

Paper 8: Which Message Matters: Implications of Construal Level Theory for Improving Information Security Message Persuasiveness

Feng Xu, Jianli Xie, Wei Huang and Merrill Warkentin

A critical component of managing organizational information security is the design of effective information security messages to motivate individuals' engagement in protective security behavior. Previous research has emphasized the role of the general level of threat (low vs. high) in eliciting individuals' desired security behavior. Although a few studies have investigated the effects of specific dimensions of security message manipulations, such as gain versus loss-framed messages, the effects of specific message components are inconclusive. Construal level theory (CLT) offers insight into matching the different construal levels between message features and recipients' features that can enhance persuasive communication effectiveness. Based on CLT, this paper investigates the interactive effects of security messages' construal level (abstract "why" vs. concrete "how"), message framing (gain vs. loss), and individuals' coping styles (emotion-focused coping vs. problem-focused coping) on individuals' protection motivation. We posit that the effect of this matching on individual protection motivation is mediated by distinct types of efficacy: security self-efficacy and security response efficacy. Three experiments will be conducted to elucidate which specific security message has the strongest persuasiveness and identify the underlying mechanism. Our work makes a significant contribution to the IS security field by integrating construal level theory into information security message design.

Paper 9: Presentation of Computer Security Risks: Impact of Framing and Base Size

Xinhui Zhan, Nah Fiona, Keng Siau, Richard Hall and Maggie Cheng

This research explores how the presentation of computer security risks impacts users' risk perceptions and behavior. It draws on Prospect Theory to generate hypotheses related to users' decision-making in the computer security context. A 2 × 3 mixed factorial experimental design (N = 178) was carried out and the results show that framing and base size of information on computer security risks influence users' perceived risk and risk-taking behavior. More specifically, negative framing and large base size increase users' perceived risk and reduce users' risk-taking behavior. The findings from this research suggest that using negative framing and large base size to communicate computer security risks is an effective strategy to lower risk-taking behavior of users.

Paper 10: Have We Thought This Through? Understanding the Role of SETA Programs in Mitigating Security-Related Stress (SRS) Creators

Jalal Sarabadani, Robert E. Crossler and John D'Arcy

Current research in security-related stress (SRS) recommends security education, training and awareness (SETA) programs as an effective way to mitigate the adverse impacts of SRS among individuals, yet this broad assertion has not been unpacked in terms of the underlying mechanisms that connect SETA programs to SRS. Contrary to the conventional wisdom that instructional support and training reduce the destructive effects of stressors, we argue that the inherent characteristics of SETA programs incorporate costs in addition to benefits. More specifically, in this paper, we theorize the underlying mechanisms through which SETA programs provide employees with benefits, costs and their subsequent influence on perception of SRS creators. We expect that the results of this research-in-progress advances our understanding of SETA programs and the way they influence employees' perception of SRS creators, which have been overlooked in the current research. The expected research and practical implications are also discussed in the paper.

Paper 11: Detecting Change in Professional Conduct When Using Information from the Web: A Differential Effect for Different Business Entity Types and Implications for Privacy and "the Right to be Forgotten"

Roozmehr Safi

Increasing reliance on the Internet's perpetual memory has raised concerns regarding how dated information that would otherwise be forgotten or inaccessible can unduly or disproportionally influence current assessments and decisions. I investigate aspects of this topic for two major business entity types: one-person businesses (i.e., sole proprietors) and firms. Results show that one-person businesses tend to be more severely impacted than firms by past adverse information, and furthermore theirimprovement trends over time are more likely to be dismissed as noise than recognized as true signals of change. While firms can offset old unfavorable conduct by engaging in new favorable behaviors, a sole proprietor's current favorable operations can remain dominated by decades-old actions. Results also indicate that decision makers perceive firms as more capable of truly changing. Also, while only decision makers with certain personality characteristics recognize signs of positive change from a sole proprietor, all decision makers detect and appreciate such changes in a firm's conduct. This study finds that limiting access to adverse past information is likely to be more helpful (or necessary) for one-person businesses or more generally for individuals than for firms.

Paper 12: When Organization Reply? Contentful and Emotional Factors Affect Management Response in Online Hacker Community

Yuanhong Ma, Liangqiang Li, Zhong Yao , Jing Zhang and Yunzhong Cao

The growing cyber attacks and information security breaches make it necessary to explore the engagement of online hacker community. Applying the Fear Appeals Model and Protection Motivation Theory, this study examines the effect of exposure pressure and content quality on the management response for the voluntary vulnerability disclosure report in the online hacker community. The results show that the exposure pressure and content quality have a significantly positive effect on management response, while the exposure pressure has a greater influence than the content quality. Moreover, we build an emotion recognition approach using a word2vec-based LSTM algorithm. Based on the recognition outcome, we test the direct and moderating affect of emotional cues which are embedded in vulnerability disclosure report on management response. The results show that the effect of emotional cues on management response decision is limited. Finally, we also discuss the unexpected insignificance of emotional cues with rationalism and skepticism.

Paper 13: Organizational Learning Process on Bug-Bounty Platforms: The Role of Firm Experience and the Diversity of Hackers

Ali Ahmed, Brian Lee and Amit Deokar

Bug-bounty, a crowdsourcing way for vulnerability discovery, is an emerging practice for firms to detect security loopholes in their online systems. Unlike a typical crowdsourcing platform, in bug-bounty platforms, firms are required to collaborate with hackers on the platform continuously. Despite the growing interest in studying bug-bounty programs, it remains unclear how firms collaborate with hackers. In this paper, we examine how the firm's experience affects the efficiency in resolving security vulnerabilities on the platform. Using a dataset collected from the HackerOne bug bounty platform, we show that there exists an inverted U-shaped relationship between the organization's vulnerability resolution time and the number of vulnerabilities resolved in the past. Interestingly, the firm may perform worse (i.e., resolving in a long time) as they gain more experience initially. However, as the firm has resolved a sufficient number of vulnerabilities, the firm experience turns into a positive learning effect. Furthermore, our findings suggest that there are two advantages for firms continuously working with the same hacker. First, the positive learning effect kicks in earlier if the firm continuously works with the same hacker on the platform. Second, the repetitive working experience with the same hacker amplifies the positive learning effect. Finally, we found that working with the same hackers may lower the overall resolving time. The study provides theoretical contributions and some important implications in how organizations work with the online crowd through an open platform, especially under the context of vulnerability discovery, crowdsourcing, and organizational learning.

Paper 14: Exigencies of crisis in situations of computer failure: influence on infosec behavior

Maureen van den Bergh, Kennedy Njenga and Paul Benjamin Lowry

In the technology-people-management chain, people are predominantly identified as the weakest link in properly securing information systems. An examination of information security literature indicated that the exigencies (or demands and pressures) of computer system failure situations had not been explored as an external factor in influencing information security behaviour. The focus of this study was on how the exigencies of computer system failure situations would influence employee information security behaviour. Qualitative text data were analysed in two phases, firstly, through methods and procedures of phenomenological analysis formulated by Moustakas, and secondly, via a summative analysis. Aggregate results showed the demands and pressures placed on employees during computer system failure situations have an important effect on their information security behaviour, which were influenced towards intentional, non-malicious behaviour. Although no one single solution and/or approach will succeed to fully explain the intricacy of employee information security (ISec) behaviour, results from the current study significantly improved our understanding of how the exigencies of computer system failure situations, an external factor, influence employee information security behaviour. It also provided practitioners empirical implications on how to improve the governance of the human factor of the technology-people-management chain.

Paper 15: An Examination of Co-occurrence of Internet Crimes

Francis Kofi Andoh-Baidoo, Emmanuel Ayaburi and Daniel Treku

This paper investigates both the victims' and perpetrators' sides of internet crime to provide an integrated view of the internet crime problem. We seek to understand how the incidences of internet crimes occur across the U.S. states by examining the patterns that exist in internet crime. We collected data from the Federal Bureau of Investigations' internet crime center website. Thirty-eight crime types originally extracted were dimensionally reduced based on crime features and their occurrences. We followed this by factor score cluster analysis. We then examined how the reduced dimensions mapped onto prior literature on crime taxonomy. Based on our analyses, we find that: (1) while some crimes occur together across states, the co-occurrence is not based on neighbor-to-neighbor state ideology; (2) criminal forums is a dominant crime type as it affects over 40 U.S. states and that preventing this crime is key to reducing victim count; (3) there is a significant correlation between many of the crime types identified in this study. Coordinated effort to reduce the effectiveness of criminal forums has the potential to reduce the number of victims. In addition, reducing criminal forums will lead to a reduction in other crimes.

Paper 16: Log Management Best Practices: A Delphi Study

Russel Havens and Justin Giboney

Log management systems are used to ensure continuity of business systems. Administrators, managers, and users of log management systems have continual problems utilizing their systems to their full capacity. We performed a Delphi study to better understand the ways that stakeholders interact with and find value from their logs and the systems that manage them. Through the qualitative analysis of the Delphi study, we introduce nine propositions to begin to build a grounded theory for use of log management system. We present a blended IS Success and Task-technology Fit model. Our model shows how quality measures feed into technology and task-fit, which then drive use and organizational benefits. This study helps explain why they are widely used and how they are measured for quality.

Paper 17: : Authenticating Pre-Literate Children

Michaela Stewart, Mhairi Campbell, Karen Renaud and Suzanne Prior

Many online services require users to authenticate themselves to prove their identity. Text-based passwords are the most widely-used authentication mechanism. Yet a number of population groups struggle with text-based passwords. One of these groups is made up of children aged 3-5. This is an important sector of society, because many of these children use the Internet at home. This was especially true during the COVID-19 pandemic. Young children can struggle with text-based passwords due to their emerging literacy and immature development. The majority of children do not learn to read fluently until age seven. At age four or five, they generally do not have the required skills to create, retain and manage alphanumeric passwords. This might well leave young children vulnerable when online or impose unrealistic demands on their care givers who support them in authenticating themselves. Here, we report on the development and evaluation of two versions of KidzPass, a graphical authentication mechanism that specifically relies on the abilities 3-5 year old children can be expected to possess. We conclude by reporting on lessons learned about designing authentication for this target user group.

Paper 18: The Effect of Trust in Authentication Methods on Risk Perceptions and Security Concerns when using Mobile Devices

Jordan B. Barlow and Sinjini Mitra

This research in progress study examines how perceptions of authentication methods on mobile devices, both biometric- and non-biometric-based, can in turn affect risk perceptions, security concerns, and intentions when completing sensitive actions on a mobile device. We conducted an initial small-scale scenario-method survey study with 62 graduate and undergraduate students to test how their perceptions (trust, usefulness, ease of use, and convenience) of authentication methods would affect their perceptions of various sensitive actions (e.g., banking, health) on a mobile device that uses a given authentication method. We found that trust in an authentication method affects risk perceptions and security concerns. In turn, such risk perceptions and security concerns affect intentions to complete such actions on that device. The effect was fully mediated. We also find that convenience, usefulness, and ease of use of an authentication method have no significant effect on risk perceptions and security concerns, and that the effect is not significantly different between biometric-based and non-biometric-based methods. This research is in progress; based on workshop feedback we plan to collect additional data to further refine our study.