Prevention is better than cure! Designing information security awareness programs to overcome users' non-compliance with information security policies in banks

Bauer, Stefan, Bernroider, Edward, Chudzikowski, Katharina

17 April 2017

In organizations, users' compliance with information security policies (ISP) is crucial for minimizing information security (IS) incidents. To improve users' compliance, IS managers have implemented IS awareness (ISA) programs, which are systematically planned interventions to continuously transport security information to a target audience. The underlying research analyzes IS managers' efforts to design effective ISA programs by comparing current design recommendations suggested by scientific literature with actual design practices of ISA programs in three banks. Moreover, this study addresses how users perceive ISA programs and related implications for compliant IS behavior. Empirically, we utilize a multiple case design to investigate three banks from Central and Eastern Europe. In total, 33 semi-structured interviews with IS managers and users were conducted and internal materials of ISA programs such as intranet messages and posters were also considered. The paper contributes to IS compliance research by offering a comparative and holistic view on ISA program design practices. Moreover, we identified influences on users' perceptions centering on IS risks, responsibilities, ISP importance and knowledge, and neutralization behaviors. Finally, the study raises propositions regarding the relationship of ISA program designs and factors, which are likely to influence users' ISP compliance.

Shaping information security behaviors related to social engineering attacks

Rocha Flores, Waldo

January 2016

Today, few companies would manage to continuously stay competitive without the proper utilization of information technology (IT). This has increased companies’ dependency of IT and created new threats that need to be addressed to mitigate risks to daily business operations. A large extent of these IT-related threats includes hackers attempting to gain unauthorized access to internal computer networks by exploiting vulnerabilities in the behaviors of employees. A common way to exploit human vulnerabilities is to deceive and manipulate employees through the use of social engineering. Although researchers have attempted to understand social engineering, there is a lack of empirical research capturing multilevel factors explaining what drives employees’ existing behaviors and how these behaviors can be improved. This is addressed in this thesis. The contribution of this thesis includes (i) an instrument to measure security behaviors and its multilevel determinants, (ii) identification of multilevel variables that significantly influence employees’ intent for behavior change, (iii) identification of what behavioral governance factors that lay the foundation for behavior change, (iv) identification that national culture has a significant effect on how organizations cope with behavioral information security threats, and (v) a strategy to ensure adequate information security behaviors throughout an organization. This thesis is a composite thesis of eight papers. Paper 1 describes the instrument measuring multilevel determinants. Paper 2 and 3 describes how security knowledge is established in organizations, and the effect on employee information security awareness. In Paper 4 the root cause of employees’ intention to change their behaviors and resist social engineering is described. Paper 5 and 8 describes how the instrument to measure social engineering security behaviors was developed and validated through scenario-based surveys and phishing experiments. Paper 6 and 7 describes experiments performed to understand reason to why employees fall for social engineering. Finally, paper 2, 5 and 6 examines the moderating effect of national culture. / <p>QC 20160503</p>

Information security

Behavioral information security

Social engineering

Phishing

Measuring information security behaviors

Information security governance

Experiments

National culture

Mixed method research design

Quantitative methods

Explaining policy differences as a function of diverse governance institutions

Flowers, Jim David

27 May 2016

This study asks the question: “How does the structure of cybersecurity policy relate to differences in structure of policy governance of universities and colleges?” The study has three objectives. First, the study seeks to add to the body of knowledge concerning the relationship between the structure of cybersecurity policy processes and the security policies developed by those processes. Second, the study seeks to demonstrate the usefulness of the Institutional Grammar Tool, Rules Configurations, and other methods employed to analyze institutional configurations. Third, the study seeks to provide pragmatic suggestions for cybersecurity practitioners to systematically identify deficiencies in policy structure that contribute to less than optimum outcomes. Research on this question is necessary as no integrative framework exists for describing or predicting how organizations adopt and implement cyber security policy. The study proposes such a framework by integrating an ideal model for cyber security governance with the principles of the Institutional Analysis and Design framework (IAD). Four research universities of the University System of Georgia are subjected to a cross-case comparison of information security policies. Interviews and policy documents provide a database of institutional statements that are analyzed using IAD methods and tools. Prior research suggests that elements of policy structure, such as how the policy fits the organization’s objectives and culture, are linked to policy effectiveness. Research also suggests that how those elements of policy structure reflect external threats and organizational factors are determined by how the cybersecurity policy development is integrated into the governance of university wide policy. In addition to demonstrating the utility of an integrated approach to studying the problem of creating effective policy, findings demonstrate how a well-integrated cybersecurity governance structure provides better fit, constructs policies of appropriate scope, and is more likely to include the components of governance necessary for policy effectiveness. Findings also suggest that policy form, the readability of policy, may be improved if the documents are analyzed using the institutional grammar tools suggested by the IAD and if collaboration with users and managers to construct policy is encouraged. The capability of the methods employed by the study to identify deficiencies in cyber security governance structure that are manifested in less effective policy outcomes may aid policy makers as they strive to develop policy solutions to an ever changing security threat

Public policy

Institutional analysis

Information security

Non-intrusive continuous user authentication for mobile devices

Karatzouni, Sevasti

January 2014

The modern mobile device has become an everyday tool for users and business. Technological advancements in the device itself and the networks that connect them have enabled a range of services and data access which have introduced a subsequent increased security risk. Given the latter, the security requirements need to be re-evaluated and authentication is a key countermeasure in this regard. However, it has traditionally been poorly served and would benefit from research to better understand how authentication can be provided to establish sufficient trust. This thesis investigates the security requirements of mobile devices through literature as well as acquiring the user’s perspectives. Given the findings it proposes biometric authentication as a means to establish a more trustworthy approach to user authentication and considers the applicability and topology considerations. Given the different risk and requirements, an authentication framework that offers transparent and continuous is developed. A thorough end-user evaluation of the model demonstrates many positive aspects of transparent authentication. The technical evaluation however, does raise a number of operational challenges that are difficult to achieve in a practical deployment. The research continues to model and simulate the operation of the framework in an controlled environment seeking to identify and correlate the key attributes of the system. Based upon these results and a number of novel adaptations are proposed to overcome the operational challenges and improve upon the impostor detection rate. The new approach to the framework simplifies the approach significantly and improves upon the security of the system, whilst maintaining an acceptable level of usability.

005.8

An analysis of the impact of emerging technology on organisations’ internal controls

11 September 2013

M.Comm. (Computer Auditing) / This study presents an evaluation of emerging information communication technology (ICT) solutions to the security internal control systems in South African organisations. Information systems have enabled companies to communicate more efficiently, gain competitive advantage and get a larger market share. These information systems therefore need to be protected securely as they are the vehicles and containers for critical information assets in decision-making processes. Therefore, this research study seeks to provide an overview of the emerging ICT solutions used to conduct business transactions, and share and communicate information. It identifies and analyses the new security risk associated with the emerging technology, and, finally, outlines the ICT security frameworks that can be used to identify, assess and evaluate organisations‟ security internal controls.

Computer auditing

Information security

Computer security

An Examination of a Virtual Private Network Implementation to Support a Teleworking Initiative: The Marcus Food Company Inc. Case Study

Ferguson, Jason

01 January 2010

In this dissertation, the author examined the capabilities of virtual private networks (VPNs) in supporting teleworking environments for small businesses in the food marketing sector. The goal of this research was to develop an implementation model for small businesses in the food marketing sector that use a VPN solution to support teleworker access to corporate resources. The author conducted a case study of the Marcus Food Company (MFC) VPN implementation in conjunction with the system development life cycle (SDLC) methodology to achieve this objective. The SDLC methodology was used to support the planning, design, and implementation of the MFC VPN. The SDLC consists of five phases. For Phase 1, the Research Phase, the author examined the business requirements for a VPN, conducted a survey of MFC employees, and performed participant observation. In Phase 2, the Analysis Phase, the author analyzed the data collected during Phase 1 to facilitate the development of a requirements list. Next, in Phase 3, the Logical Design Phase, the author designed and developed standardized diagrams of the MFC VPN implementation. In Phase 4, the Physical Design Phase, the author identified specific processes, procedures, and technologies. For Phase 5, the Implementation Phase, the author described the implementation processes for the MFC VPN initiative. Finally, the author analyzed and interpreted the data collected and then reported the results of the research. The findings from this investigation demonstrate that the SDLC methodology was a framework for planning, designing, and implementing a secure and reliable VPN solution to support teleworking. Utilizing the SDLC methodology resulted in thorough documentation, including a review of in-place network documentation, results from a survey, prioritized functional and nonfunctional requirements lists, logical design diagram, and specific hardware/software components and configurations. Using the findings from the case study and SDLC methodology, the MFC VPN implementation model is presented. The MFC implementation model may be used in small businesses, of a size similar to MFC, in which VPN initiatives are being considered.

Information Security

Virtual Private Network

Computer Sciences

Categorization of Large Corpora of Malicious Software

Kura, Deekshit

20 December 2013

Malware is computer software written by someone with mischievous or, more usually, malicious and/or criminal intent and specifically designed to damage data, hosts or networks. The variety of malware is increasing proportionally with the increase in computers and we are not aware of newly emerging malware. Tools are needed to categorize families of malware, so that analysts can compare new malware samples to ones that have been previously analyzed and determine steps to detect and prevent malware infections. In this thesis, I developed a technique to catalog and characterize the behavior of malware, so that malware families, the level of potential threat, and the effects of malware can be identified. Combinations of complementary techniques, including third-party tools, are integrated to scan and illustrate how malware may harm a target machine, search for related malware behavior, and organize malware into families, based on a number of characteristics.

Malware Analysis

Information Security

Other Computer Sciences

Informationssäkerhet : en undersökning om säkerhetsarbetet bland företag i Dals-Ed

Bengtsson, Jenny, Olsson, Jenny

January 2003

No description available.

Informationssäkerhet

Datasäkerhet

Säkerhetspolicy

Information security management

Säkerhetslösningar

Secret sharing using artificial neural network

Alkharobi, Talal M.

15 November 2004

Secret sharing is a fundamental notion for secure cryptographic design. In a secret sharing scheme, a set of participants shares a secret among them such that only pre-specified subsets of these shares can get together to recover the secret. This dissertation introduces a neural network approach to solve the problem of secret sharing for any given access structure. Other approaches have been used to solve this problem. However, the yet known approaches result in exponential increase in the amount of data that every participant need to keep. This amount is measured by the secret sharing scheme information rate. This work is intended to solve the problem with better information rate.

Secret sharing

artificial neural network

information security

Information Security on the Web and App Platforms : An Economic and Socio-Behavioral Perspective

Chia, Pern Hui

January 2012

Various security measures are ineffective having been designed without adequate usability and economic considerations. The primary objective of this thesis is to add an economic and socio-behavioral perspective to the traditional computer science research in information security. The resulting research is interdisciplinary, and the papers combine different approaches, ranging from analytic modeling to empirical measurements and user studies. Contributing to the fields of usable security and security economics, this thesis fulfills three motivations. First, it provides a realistic game theoretical model for analyzing the dynamics of attack and defense on the Web. Adapted from the classical Colonel Blotto games, our Colonel Blotto Phishing model captures the asymmetric conflict (resource, information, action) between a resource-constrained attacker and a defender. It also factors in the practical scenario where the attacker creates large numbers of phishing websites (endogenous dimensionality), while the defender reactively detects and strives to take them down promptly. Second, the thesis challenges the conventional view that users are always the weakest link or liability in security. It explores the feasibility of leveraging inputs from expert and ordinary users for improving information security. While several potential challenges are identified, we find that community inputs are more comprehensive and relevant than automated assessments. This does not imply that users should be made liable to protect themselves; it demonstrates the potentials of community efforts in complementing conventional security measures. We further analyze the contribution characteristics of serious and casual security volunteers, and suggest ways for improvement. Third, following the rise of third party applications (apps), the thesis explores the security and privacy risks and challenges with both centralized and decentralized app control models. Centralized app control can lead to the risk of central judgment and the risk of habituation, while the increasingly widespread decentralized user-consent permission model also suffers from the lack of effective risk signaling. We find the tendency of popular apps requesting more permissions than average. Compound with the absence of alternative risk signals, users will habitually click through the permission request dialogs. In addition, we find the free apps, apps with mature content, and apps with names mimicking the popular ones, request more permissions than typical. These indicate possible attempts to trick the users into compromising their privacy.

Information Security

Security Economics

Usable Security