Empathy in Security: The Effect of Personalized Awareness and Training Initiatives on Information Security Attitude and Behavioral Intention

Donaldson, Jacob

19 May 2021

No description available.

Business Administration

Information Security

Information Security Awareness

Information Security Training

Empathy in Information Security

Persuasive Communication

Elaboration Likelihood Model

The Role of Habit in Information Security Behaviors

Malimage, Kalana

14 December 2013

The purpose of this present study is to understand the role of habit in information security behaviors. The automatic aspect of habit and its impact on secure behavior and the intention-behavior relationship was explored in this dissertation through the lens of protection motivation theory. Three secure behaviors were selected for the investigation after following a rigorous process to identify habitual secure behaviors. The three behaviors that were investigated are: locking the PC when leaving it unattended, verifying the recipient email addresses before sending email and visiting only verified websites. Separate pilot studies were conducted for each of the behaviors followed by a main investigation. Habit was measured with a first-order reflective and second-order formative scale that captured the multidimensional aspects of habit: Lack of Awareness, Uncontrollability and Mental Efficiency. Data were collected for each of the behaviors separately via separate online surveys using Amazon Mechanical-Turk. The results of the data analyses indicate that habit significantly influence the performance of secure behavior while negatively moderating the intention-behavior relationship for each of the three behaviors. The findings also confirm that when certain behaviors are habitual, the cognitive resources needed to make decisions on performing behavior reduce. Several alternate models were analyzed as a part of the post hoc phase of the study. The findings of this study provide several contributions to the IS research and practice. This study investigated the role of habit in an information security context using a second-order formative scale. The findings indicate that habit play a significant role in the performance of secure behaviors and verifies the relationship between intention and behavior in an information security context. The findings provide directions to organizations in understanding habits of their employees and to foster positive habits while breaking negative habits. The findings of this study provide several future research directions and highlight the importance of further exploration of habit in an information security context.

information security

habit

protection motivation

Assessment of Information Security Culture in Higher Education

Glaspie, Henry

01 January 2018

Information security programs are instituted by organizations to provide guidance to their users who handle their data and systems. The main goal of these programs is to protect the organization's information assets through the creation and cultivation of a positive information security culture within the organization. As the collection and use of data expands in all economic sectors, the threat of data breach due to human error increases. Employee's behavior towards information security is influenced by the organizations information security programs and the overall information security culture. This study examines the human factors of an information security program and their effect on the information security culture. These human factors consist of stringency of organizational policies, behavior deterrence, employee attitudes towards information security, training and awareness, and management support of the information security programs. A survey questionnaire was given to employees in the Florida College System to measure the human aspects of the information security programs. Confirmatory factor analysis (CFA) and Structural Equation Modeling (SEM) were used to investigate the relationships between the variables in the study using IBM® SPSS® Amos 24 software. The study results show that management support and behavior deterrence have a significant positive relationship with information security. Additionally, the results show no significant association between information security culture and organization policies, employee commitment and employee awareness. This suggests a need for further refinement of the model and the survey tool design to properly assess human factors of information security programs and their effects on the organizational security culture.

Defense and Security Studies

Information Security

Federal, State and Local Law Enforcement Agency Interoperability Capabilities and Cyber Vulnerabilities

Trapnell, Tyrone

01 May 2019

The National Data Exchange (N-DEx) System is the central informational hub located at the Federal Bureau of Investigation (FBI). Its purpose is to provide network subscriptions to all Federal, state and local level law enforcement agencies while increasing information collaboration across all domains. The National Data Exchange users must satisfy the Advanced Permission Requirements, confirming the terms of N-DEx information use, and the Verification Requirement (verifying the completeness, timeliness, accuracy, and relevancy of N-DEx information) through coordination with the record-owning agency (Management, 2018). A network infection model is proposed to simulate the spread impact of various cyber-attacks within Federal, state and local level law enforcement networks that are linked together through the topologies merging with the National Data Exchange (N-DEx) System as the ability to manipulate the live network is limited. The model design methodology is conducted in a manner that creates a level of organization from the state level to the local level of law enforcement agencies allowing for each organizational infection probability to be calculated and entered, thus making the model very specific in nature for determining spread or outbreaks of cyber-attacks among law enforcement agencies at all levels. This research will enable future researchers to further develop a model that is capable of detecting weak points within an information structure when multiple topologies merge, allowing for more secure operations among law enforcement networks.

Defense and Security Studies

Information Security

Predictors of Ransomware from Binary Analysis

Otis, Aaron M

01 September 2019

Ransomware, a type of malware that extorts payment from a victim by encrypting her data, is a growing threat that is becoming more sophisticated with each generation. Attackers have shifted from targeting individuals to entire organizations, raising extortions from hundreds of dollars to hundreds of thousands of dollars. In this work, we analyze a variety of ransomware and benign software binaries in order to identify indicators that may be used to detect ransomware. We find that several combinations of strings, cryptographic constants, and a large number loops are key indicators useful for detecting ransomware.

Binary Analysis

Ransomware

Information Security

Reducing Incongruity of Perceptions Related to Information Risk: Dialogical Action Research in Organizations

Sedlack, Derek J.

01 January 2012

A critical overreliance on the technical dimension of information security has recently shifted toward more robust, organizationally focused information security methods to countermand $54 billion lost from computer security incidents. Developing a more balanced approach is required since protecting information is not an all or nothing proposition. Inaccurate tradeoffs resulting from misidentified risk severity based on organizational group perceptions related to information risk form information security gaps. This dissertation applies dialogical action research to study the information security gap created by incongruent perceptions of organizational members related to information risk among different stakeholder communities. A new model, the Information Security Improvement model, based on Technological Frames of Reference (TFR), is proposed and tested to improve information security through reduced member incongruity. The model proved useful in realigning incongruent perceptions related to information risk within the studied organization. A process for identifying disparate information characteristics and potential influencing factors is also presented. The research suggested that the model is flexible and extensible, within the organizational context, and may be used to study incongruent individual perceptions (micro) or larger groups such as departments or divisions.

information

information security

information security improvement

information security strategy

information systems

technological frames of reference

Computer Sciences

Strong Intents Against Weak Links : Towards a Holistic Integration of Behavioral Information Security in Organizations with Strategic Intent

Koller, Teresa Marie, Ljung, Migle

January 2021

The human factor has been detected as the weakest link in the information security of organizations. Methods like training and awareness programs and the implementation of security policies have been developed, but they still seem to be less effective than desired. Authors have suggested integrating information security more holistically in organizations. In this study we discuss how strategic intent can influence an information security culture and improve information security behavior, thereby strengthening the weakest link. This thesis aims to develop a conceptual framework for organizations to integrate behavioral information security holistically with strategic intent. This thesis is based on a qualitative study with an abductive approach consisting of nine exploratory, semi-structured interviews. This way we could find today’s most prominent factors that might reinforce information security behavior in organizations and discuss the interrelations among those factors together with their potential facilitators and barriers. To improve behavioral InfoSec holistically in organizations, strategic Intent and InfoSec culture are promising factors. All factors have clear interrelations, but also potential facilitators and barriers.

Information Security Behavior

Information Security Culture

Strategic Intent

Behavioral Information Security

Qualitative Study

Business Administration

Företagsekonomi

The economics of information security

Dlamini, Moses Thandokuhle

20 September 2010

In the year 2008, world markets suffered a huge economic crisis. The extent of the economic crisis has been so severe and has had a global impact. As a contingency strategy, governments of wealthy nations have resorted to extensive bailouts and rescue packages to stop organisations from going bankrupt. A skyrocketing amount of money has been spent on rescue packages and bailouts for the tumbling organisations. However, this could not stop some of the world’s wealthiest financial institutions e.g. Lehman Brothers, Northern Rock, etc from collapsing. Most of the surviving organisations froze their expenditure, implemented cost-cutting measures and in the process, numerous employees lost their jobs. Executives were compelled to ‘achieve more with less’ in order to save their organisations from going bankrupt. It is on this premise that this research proposed the BC3I (Broad Control Category Cost Indicators) model, which is a step towards ‘achieving more with less’ within information security budgeting. The tumbling world markets and increased requirements for legal and regulatory compliance have made this a timely and relevant research that addressed a current, spot-on and global problem. The BC3I model as the main outcome of this research has indeed come at the right time. The BC3I model as proposed in this research makes a real contribution towards assisting information security managers as they make informed decisions regarding the optimal and cost-effective allocation of financial resources to information security activities. The proposed model can be argued to be a good start towards the selection of appropriate controls to optimally and cost-effectively protect organisations’ information assets and simultaneously achieve compliance with legal and regulatory mandates. As a proof of concept, the practicality of the BC3I model has been demonstrated in three different scenarios. The model has been illustrated for an organisation chosen from the financial sector; being the hardest hit by the economic crisis. Furthermore, the financial sector is chosen because of its high reliance on information security for the most obvious reasons that of dealing with money and confidential customer information. Finally and for acceptance purposes, the model has been discussed and reviewed by industry experts from the financial sector. Copyright / Dissertation (MSc)--University of Pretoria, 2010. / Computer Science / unrestricted

Broad control categories

Information security standards

Budget constraints

Information security

Information security investment

Information security budget

Information security controls

UCTD

Olika perspektiv på informationssäkerhet : En fallstudie på ett universitet

Wallin, Emma, Andersson, Ellinor

January 2022

Utbildningssektorn har sedan en tid tillbaka varit extra utsatt för cyberattacker, dels på grund av dess öppna nätverk och det stora antalet användare, men ofta också på grund av ett bristande informationssäkerhetsarbete (Wood 2014). Syftet med uppsatsen är att undersöka vad ett svenskt universitet och dess anställda har för uppfattning av informationssäkerhet samt om och i så fall hur dessa syner skiljer sig åt. Det med hjälp av teorin Technological frames (Orlikowski & Gash 1994). I studien har sex anställda och enheten för informationssäkerhet på universitetet intervjuats. Författarna har även utfört en deltagande observation vid en internutbildning i informationssäkerhet. Resultaten visar att de två grupperna bland annat har en samsyn om att människan är det största hotet för infektioner och attacker, att information i olika former är viktig att skydda, att den fysiska säkerheten samt lösenord är viktiga, att organisationen måste hitta en lagom nivå av informationssäkerhet och att ansvar för informationssäkerhetsutbildning för anställda främst ligger hos organisationen men att det trots allt också finns ett ansvar hos individen att själv ta reda på information. Det förelåg olika syner på huruvida phishing-mejl skulle raderas direkt eller rapporteras och vilka kommunikationsvägar som bör användas mellan enheten för informationssäkerhet och de anställda. De anställda hade dessutom en snävare syn på vad informationssäkerhet är jämfört med enheten för informationssäkerhet. / The education sector has recently been particularly exposed to cyber attacks, partly due to its open networks and the large number of users, but also due to a lack of information security (Wood 2014). The purpose of the thesis is to investigate what image a Swedish university and its employees have of information security and if these views differ, and in that case how. This study draws on the theory Technological frames (Orlikowski & Gash 1994). In the study, six employees and the information security unit at the university were interviewed. We also per­formed participatory observation during an internal course in information security. The results show that the two groups agree that humans are the biggest threat when it comes to cyber at­tacks, that information in various forms is important to protect, that physical security and pass­words are important, that the organization must find a reasonable level of information security and that the organization should have the primary responsibility for information security train­ing for employees, but that individuals also have a responsibility. There were different views on whether phishing emails should be deleted directly or reported. The views differ when it comes to which communication channels should be used between the unit of information secu­rity and the employees. The employees also had a narrower view of what information security is compared to the unit for information security.

Information security

Information Security Awareness

ISA

Information Security Training

IST

Technological frames

Informationssäkerhet

Information Security Awareness

ISA

Information Security Training

IST

Technological frames

Information Systems

Studies on Employees’ Information Security Awareness

Häußinger, Felix

13 May 2015

No description available.

330

Information Security Awareness

Information Security Behahavior

Information Systems Security

Antecedents of Information Security

Endogenous Motivation

Wirtschaftswissenschaften (PPN621567140)