Reasons for non-compliance with mandatory information assurance policies by a trained population

Shelton, D. Cragin

13 May 2015

<p> Information assurance (IA) is about protecting key attributes of information and the data systems. Treating IA as a system, it is appropriate to consider the three major elements of any system: <i>people, processes,</i> and <i>tools.</i> While IA tools exist in the form of hardware and software, tools alone cannot assure key information attributes. IA procedures and the people that must follow those procedures are also part of the system. There is no argument that people do not follow IA procedures. A review of the literature showed that not only is there no general consensus on why people do not follow IA procedures, no discovered studies simply asked people their reasons. Published studies addressed reasons for non-compliance, but always within a framework of any one of several assumed theories of human performance. The study described here took a first small step by asking a sample from an under-studied population, users of U.S. federal government information systems, why they have failed to comply with two IA procedures related to password management, and how often. The results may lay the groundwork for extending the same methodology across a range of IA procedures, eventually suggesting new approaches to motivating people, modifying procedures, or developing tools to better meet IA goals. In the course of the described study, an unexpected result occurred. The study plan had included comparing the data for workers with and without IA duties. However, almost all of the respondents in the survey declared having IA duties. Consideration of a comment by a pilot study participant brought the realization that IA awareness programs emphasizing universal responsibility for information security may have caused the unexpected responses. The study conclusions address suggestions for refining the question in future studies.</p>

Crowdsourcing for natural disaster response| An evaluation of crisis mapping the 2010 Haitian earthquake

Feighery, Annie

19 July 2014

<p> On January 12, 2010, a magnitude 7.0 earthquake struck Haiti, causing catastrophic damages that resulted in at least 300,000 dead, 300,000 serious injuries, and 1.8 million homeless. The destruction was so complete that roads were no longer visible. While buildings, roads, power, and other infrastructure have taken years to restore, mobile phone service was restored almost immediately. A communications network based on mobile phone text messages became an innovative and valuable tool for relief.</p><p> Within four hours of the earthquake, a crisis map was established, geocoding messages for inclusion in a freely accessible, online database. Over the next three months, over 3,600 messages would be translated, mapped, and coded with labels indicating the messages' actionable topics. This undertaking involved over 2,000 online volunteers from around the world. Analyzing and evaluating what happened, what worked, and what went wrong from a programmatic perspective is critical for the future use of crisis maps in disasters and for the future integration of new technologies into large bureaucratic entities.</p><p> The purpose of this study was to investigate the diffusion of a novel innovation; analyze aspects of the maps' deployment that limited success; and posit solutions for improving crisis mapping in natural disasters. The manuscript comprises three papers, beginning with a review of literature and emerging tools for social media and health promotion. The second paper developed an automated algorithm to code the need expressed in texts and compared its reliability to the actual human-derived codes. The findings suggest that automated algorithms can enhance speed of response and overcome human biases. The result is improved situational awareness. Algorithm codes revealed a pattern of message topics, which transitioned from emergency needs, including finding missing persons, to health infrastructure requests, primarily for food and water. The third paper employed a social capital framework to understand the system users' intents. The findings revealed that individuals far outnumbered aid organizations in users of the system. Also whereas the traditional rapid analysis takes six weeks, the messages revealed real-time needs. These findings suggest that machine coding methodology could increase accuracy of situational analysis and speed response in future disasters.</p>

Strong Intents Against Weak Links : Towards a Holistic Integration of Behavioral Information Security in Organizations with Strategic Intent

Koller, Teresa Marie, Ljung, Migle

January 2021

The human factor has been detected as the weakest link in the information security of organizations. Methods like training and awareness programs and the implementation of security policies have been developed, but they still seem to be less effective than desired. Authors have suggested integrating information security more holistically in organizations. In this study we discuss how strategic intent can influence an information security culture and improve information security behavior, thereby strengthening the weakest link. This thesis aims to develop a conceptual framework for organizations to integrate behavioral information security holistically with strategic intent. This thesis is based on a qualitative study with an abductive approach consisting of nine exploratory, semi-structured interviews. This way we could find today’s most prominent factors that might reinforce information security behavior in organizations and discuss the interrelations among those factors together with their potential facilitators and barriers. To improve behavioral InfoSec holistically in organizations, strategic Intent and InfoSec culture are promising factors. All factors have clear interrelations, but also potential facilitators and barriers.

Information Security Behavior

Information Security Culture

Strategic Intent

Behavioral Information Security

Qualitative Study

Business Administration

Företagsekonomi

Shaping information security behaviors related to social engineering attacks

Rocha Flores, Waldo

January 2016

Today, few companies would manage to continuously stay competitive without the proper utilization of information technology (IT). This has increased companies’ dependency of IT and created new threats that need to be addressed to mitigate risks to daily business operations. A large extent of these IT-related threats includes hackers attempting to gain unauthorized access to internal computer networks by exploiting vulnerabilities in the behaviors of employees. A common way to exploit human vulnerabilities is to deceive and manipulate employees through the use of social engineering. Although researchers have attempted to understand social engineering, there is a lack of empirical research capturing multilevel factors explaining what drives employees’ existing behaviors and how these behaviors can be improved. This is addressed in this thesis. The contribution of this thesis includes (i) an instrument to measure security behaviors and its multilevel determinants, (ii) identification of multilevel variables that significantly influence employees’ intent for behavior change, (iii) identification of what behavioral governance factors that lay the foundation for behavior change, (iv) identification that national culture has a significant effect on how organizations cope with behavioral information security threats, and (v) a strategy to ensure adequate information security behaviors throughout an organization. This thesis is a composite thesis of eight papers. Paper 1 describes the instrument measuring multilevel determinants. Paper 2 and 3 describes how security knowledge is established in organizations, and the effect on employee information security awareness. In Paper 4 the root cause of employees’ intention to change their behaviors and resist social engineering is described. Paper 5 and 8 describes how the instrument to measure social engineering security behaviors was developed and validated through scenario-based surveys and phishing experiments. Paper 6 and 7 describes experiments performed to understand reason to why employees fall for social engineering. Finally, paper 2, 5 and 6 examines the moderating effect of national culture. / <p>QC 20160503</p>

Information security

Behavioral information security

Social engineering

Phishing

Measuring information security behaviors

Information security governance

Experiments

National culture

Mixed method research design

Quantitative methods

Efeitos da informação verbal no acoplamento entre a informação visual e oscilação corporal / Effects of the verbal information in the coupling between the visual information and body oscillattion

Perotti Junior, Alaercio

25 August 2006

O objetivo desse estudo foi verificar os efeitos da manipulação de informação, visual proveniente de uma sala móvel, verbal fornecida sobre o movimento da sala e sobre uma ação solicitada, na oscilação corporal em crianças e adultos. Participaram deste estudo 20 crianças e 20 adultos jovens, que permaneceram na posição ereta dentro de uma sala móvel. Os resultados revelaram que a dinâmica intrínseca do sistema, referente ao relacionamento entre informação visual e oscilação corporal, não é facilmente modificada pela informação comportamental. A manipulação dos tipos de informação verbal, sobre movimento da sala e solicitação de uma ação, altera o relacionamento entre informação visual e oscilação corporal na situação da sala móvel. Entretanto, esta alteração requer atuação contínua do participante e, ainda, a solicitação de uma ação é mais efetiva nesta alteração do que somente a informação sobre o que está ocorrendo. Finalmente, há mudanças desenvolvimentais em como estas diferentes informações são utilizadas para o controle de uma ação motora. Enquanto adultos jovens utilizam as informações fornecidas de forma mais adequada para a ação solicitada, crianças apresentam dificuldade em utilizar a informação fornecida ou realizar uma ação solicitada frente à dinâmica intrínseca do sistema. / The purpose of this study was to verify the effects of the manipulation of information, visual from a moving room, verbal informing about the movement of the room and about a requested action, in body sway of children and adults. Participated of this study 20 children and 20 young adults, who stood upright inside of a moving room. The results revealed that the system intrinsic dynamics, regarding the relationship between visual information and body sway, is not easily modified by behavioral information. The manipulation of the types of verbal information, about the moving room?s movement and requesting a specific action, alters the relationship between visual information and body sway in the moving room situation. However, this change requires the participant\'s continuous attention and, moreover, requesting an action is more effective than only the information about what is happening. Finally, there are behavioral changes in how these different types of information are used for the control of a motor action. While young adults use the provided information in a more appropriate way to perform the requested action, children show difficulty in order to use the provided information or to accomplish an action requested due to the intrinsic dynamics of the system.

ação motora

behavioral information

ciclo percepção-ação

controle postural

dinâmica intrínseca

informação comportamental

intrinsic dynamics

motor action

perception-action cycle

postural control

Efeitos da informação verbal no acoplamento entre a informação visual e oscilação corporal / Effects of the verbal information in the coupling between the visual information and body oscillattion

Alaercio Perotti Junior

25 August 2006

O objetivo desse estudo foi verificar os efeitos da manipulação de informação, visual proveniente de uma sala móvel, verbal fornecida sobre o movimento da sala e sobre uma ação solicitada, na oscilação corporal em crianças e adultos. Participaram deste estudo 20 crianças e 20 adultos jovens, que permaneceram na posição ereta dentro de uma sala móvel. Os resultados revelaram que a dinâmica intrínseca do sistema, referente ao relacionamento entre informação visual e oscilação corporal, não é facilmente modificada pela informação comportamental. A manipulação dos tipos de informação verbal, sobre movimento da sala e solicitação de uma ação, altera o relacionamento entre informação visual e oscilação corporal na situação da sala móvel. Entretanto, esta alteração requer atuação contínua do participante e, ainda, a solicitação de uma ação é mais efetiva nesta alteração do que somente a informação sobre o que está ocorrendo. Finalmente, há mudanças desenvolvimentais em como estas diferentes informações são utilizadas para o controle de uma ação motora. Enquanto adultos jovens utilizam as informações fornecidas de forma mais adequada para a ação solicitada, crianças apresentam dificuldade em utilizar a informação fornecida ou realizar uma ação solicitada frente à dinâmica intrínseca do sistema. / The purpose of this study was to verify the effects of the manipulation of information, visual from a moving room, verbal informing about the movement of the room and about a requested action, in body sway of children and adults. Participated of this study 20 children and 20 young adults, who stood upright inside of a moving room. The results revealed that the system intrinsic dynamics, regarding the relationship between visual information and body sway, is not easily modified by behavioral information. The manipulation of the types of verbal information, about the moving room?s movement and requesting a specific action, alters the relationship between visual information and body sway in the moving room situation. However, this change requires the participant\'s continuous attention and, moreover, requesting an action is more effective than only the information about what is happening. Finally, there are behavioral changes in how these different types of information are used for the control of a motor action. While young adults use the provided information in a more appropriate way to perform the requested action, children show difficulty in order to use the provided information or to accomplish an action requested due to the intrinsic dynamics of the system.

ação motora

ciclo percepção-ação

controle postural

dinâmica intrínseca

informação comportamental

behavioral information

intrinsic dynamics

motor action

perception-action cycle

postural control