Information Security Policy Compliance

One of the most challenging problems modern firms face is that their weakest link in maintaining information security is the behavior of employees: clicking on phishing emails, telling friends and family private information, and searching for private information about themselves (Loch, Carr and Warkentin 1992). A survey conducted by the Computer Security Institute reported that the average monetary loss per incident was $288,618 and that 44% of those who responded to the survey reported insider security-related abuse, making it the second-most frequently occurring computer security incident (Richardson 2008). This paper uses a questionnaire from Hu, West and Smarandescu (2015) to test for the efficacy of different reward and punishment schemes in preventing insider security-related abuse. Hu et al.’s (2015) scenarios elicit from participants whether they would recommend violating company IT policies. Real monetary payments provide motivation.3 The results indicate that, if a company can detect abuses with some degree of certainty, the best strategy among those tested is to regularly reward individual employees with small rewards for complying with company policy and punish every detected violation. This recommendation contrasts with the existing literature, which focuses almost entirely on punishment for detected security breaches. This focus on punishment is referred to as General Deterrence Theory (Straub Jr 1990). The results in this paper suggest strongly that General Deterrence Theory does not provide an effective strategy for preventing security breaches

Designing an incentive mechanism for information security policy compliance: An experiment

Much information security research focuses on policies firms could adopt to reduce or eliminate employees’ violation behavior. However, current information security policies are based on increasingly outmoded models of compliance behavior. This paper proposes a novel behavioral-based mechanism that offers rewards and punishments to incentivize employees to take the time to protect a company’s information assets. This new mechanism is grounded in insights from externality taxes and subsidies, as well as from behavioral economics, that specific incentives operationalized as monetary rewards and punishments effectively improve information security compliance. We also consider the importance of detection in implementing our mechanism. We conduct a set of laboratory experiments to study the impact of the rewards and punishments, as well as the importance of the probability of detection. Our results show clearly that rewards alone or a combination of rewards and punishments are effective in improving information security policy compliance in both high and low-detection environments, but punishments alone are not effective in either of our environments. In addition, a company’s information security compensation plan is more likely to be effective in improving compliance if the company can more reliably detect violations. Overall, our study suggests that a compensation structure based on small and predictable financial rewards and punishments is likely more effective than the current punishment-focused approach.This is a preprint of an article published as Li, Yuanxiang John, and Elizabeth Hoffman. "Designing an incentive mechanism for information security policy compliance: An experiment." Journal of Economic Behavior & Organization 212 (2023): 138-159. doi:10.1016/j.jebo.2023.05.033. Posted with permission

Information Security Policy Compliance

One of the most challenging problems modern firms face is that their weakest link in maintaining information security is the behavior of employees: clicking on phishing emails, telling friends and family private information, and searching for private information about themselves (Loch, Carr and Warkentin 1992). A survey conducted by the Computer Security Institute reported that the average monetary loss per incident was $288,618 and that 44% of those who responded to the survey reported insider security-related abuse, making it the second-most frequently occurring computer security incident (Richardson 2008). This paper uses a questionnaire from Hu, West and Smarandescu (2015) to test for the efficacy of different reward and punishment schemes in preventing insider security-related abuse. Hu et al.’s (2015) scenarios elicit from participants whether they would recommend violating company IT policies. Real monetary payments provide motivation.3 The results indicate that, if a company can detect abuses with some degree of certainty, the best strategy among those tested is to regularly reward individual employees with small rewards for complying with company policy and punish every detected violation. This recommendation contrasts with the existing literature, which focuses almost entirely on punishment for detected security breaches. This focus on punishment is referred to as General Deterrence Theory (Straub Jr 1990). The results in this paper suggest strongly that General Deterrence Theory does not provide an effective strategy for preventing security breaches.</p

Should firms pay for online brand communities: Using lead user theory in analyzing two contrasting cases

Despite the importance and benefits of Online Brand Communities, there is little discussion in the literature about whether it is necessary for a firm to financially sponsor its online brand community. By incorporating brand trust, brand knowledge, and reciprocal behavior into Lead User Theory, this paper studies what influences consumers' participation potentials in new product development. Two online survey instruments are employed, and data is collected from two matchable well-known IT companies for two types of online brand communities: Company-initiated and Consumer-initiated. Two separate parallel Structural Equation Modeling analyses are conducted to test these two matchable samples and assess the research model. Our findings suggest that firms may not need to pay to sponsor their online brand communities. We infer our conclusion about company-sponsored communities from our findings that brand trust and brand knowledge play different roles for company-initiated and consumer-initiated online brand communities. Brand knowledge directly impacts consumers' participation potentials in consumer-initiated online brand communities, but only indirectly impacts through brand trust in company-initiated online brand communities.This is a manuscript of an article published as Li, Yuanxiang John, Elizabeth Hoffman, and Dan Zhu. "Should firms pay for online brand communities: Using lead user theory in analyzing two contrasting cases." Decision Support Systems (2022): 113729. doi:10.1016/j.dss.2021.113729. Posted with permission. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License

Maternal urinary manganese and risk of low birth weight: a case–control study

Abstract Background Manganese (Mn) is an essential element for humans, but exposure to high levels has been associated with adverse developmental outcomes. Early epidemiological studies evaluating the effect of Mn on fetal growth are inconsistent. Methods We investigated the association between maternal urinary Mn during pregnancy and the risk of low birth weight (LBW). Mn concentrations in maternal urine samples collected before delivery were measured in 816 subjects (204 LBW cases and 612 matched controls) recruited between 2012 and 2014 in Hubei Province, China. Results The median Mn concentration in maternal urine was 0.69 μg/g creatinine. Compared to the medium tertile of Mn levels, an increased risk of LBW was observed for the lowest tertile (≤0.30 μg/g creatinine) [adjusted odds ratio (OR) = 1.28; 95 % confidence interval (CI) = 0.67, 2.45], and a significantly increased risk of LBW was observed for the highest tertile (≥1.16 μg/g creatinine) [adjusted OR = 2.04; 95 % CI = 1.12, 3.72]. A curvilinear relationship between maternal urinary Mn and risk of LBW was observed, showing that the concentration at 0.43 μg/g creatinine was the point of inflection. Similar associations were observed among the mothers with female infants and among the younger mothers < 28 years old. However, among the mothers with male infants or the older mothers ≥ 28 years old, only higher levels of Mn were positively associated with LBW. Conclusions Lower or higher levels of maternal urinary Mn are associated with LBW, though only the association of LBW risk and higher levels of Mn was statistically significant. The findings also show that the associations may vary by maternal age and infant sex, but require confirmation in other populations

Additional file 1: of Maternal urinary manganese and risk of low birth weight: a case–control study

Distribution of maternal urianry manganese and restricted spline curves association between urinary manganese concentration and risk of low birth weigh in the stratified analysis. (DOCX 104 kb

Recent advances in basic neurosciences and brain disease: from synapses to behavior

Abstract Understanding basic neuronal mechanisms hold the hope for future treatment of brain disease. The 1st international conference on synapse, memory, drug addiction and pain was held in beautiful downtown Toronto, Canada on August 21–23, 2006. Unlike other traditional conferences, this new meeting focused on three major aims: (1) to promote new and cutting edge research in neuroscience; (2) to encourage international information exchange and scientific collaborations; and (3) to provide a platform for active scientists to discuss new findings. Up to 64 investigators presented their recent discoveries, from basic synaptic mechanisms to genes related to human brain disease. This meeting was in part sponsored by Molecular Pain, together with University of Toronto (Faculty of Medicine, Department of Physiology as well as Center for the Study of Pain). Our goal for this meeting is to promote future active scientific collaborations and improve human health through fundamental basic neuroscience researches. The second international meeting on Neurons and Brain Disease will be held in Toronto (August 29–31, 2007).</p

Recent advances in basic neurosciences and brain disease: from synapses to behavior

Understanding basic neuronal mechanisms hold the hope for future treatment of brain disease. The 1st international conference on synapse, memory, drug addiction and pain was held in beautiful downtown Toronto, Canada on August 21–23, 2006. Unlike other traditional conferences, this new meeting focused on three major aims: (1) to promote new and cutting edge research in neuroscience; (2) to encourage international information exchange and scientific collaborations; and (3) to provide a platform for active scientists to discuss new findings. Up to 64 investigators presented their recent discoveries, from basic synaptic mechanisms to genes related to human brain disease. This meeting was in part sponsored by Molecular Pain, together with University of Toronto (Faculty of Medicine, Department of Physiology as well as Center for the Study of Pain). Our goal for this meeting is to promote future active scientific collaborations and improve human health through fundamental basic neuroscience researches. The second international meeting on Neurons and Brain Disease will be held in Toronto (August 29–31, 2007).Psychiatry, Department ofNon UBCMedicine, Faculty ofReviewedFacult