Psychological Profiling of Hacking Potential

This paper investigates the psychological traits of individuals’ attraction to engaging in hacking behaviors (both ethical and illegal/unethical) upon entering the workforce. We examine the role of the Dark Triad, Opposition to Authority and Thrill-Seeking traits as regards the propensity of an individual to be interested in White Hat, Black Hat, and Grey Hat hacking. A new set of scales were developed to assist in the delineation of the three hat categories. We also developed a scale to measure each subject’s perception of the probability of being apprehended for violating privacy laws. Engaging in criminal activity involves a choice where there are consequences and opportunities, and individuals perceive them differently, but they can be deterred if there is a likelihood of punishment, and the punishment is severe. The results suggest that individuals that are White Hat, Grey Hat and Black Hat hackers score high on the Machiavellian and Psychopathy scales. We also found evidence that Grey Hatters oppose authority, Black Hatters score high on the thrill-seeking dimension and White Hatters, the good guys, tend to be Narcissists. Thrill-seeking was moderately important for White Hat hacking and Black hat hacking. Opposition to Authority was important for Grey Hat hacking. Narcissism was not statistically significant in any of the models. The probability of being apprehended had a negative effect on Grey Hat and Black Hat hacking. Several suggestions will be made on what organizations can do to address insider threats

Orientation and Social Influences Matter: Revisiting Neutralization Tendencies in Information Systems Security Violation

It is estimated that over half of all information systems security breaches are due directly or indirectly to the poor security practices of an organization’s employees. Previous research has shown neutralization techniques as having influence on the intent to violate information security policy. In this study, we proposed an expansion of the neutralization model by including the effects of business and ethical orientation of individuals on their tendencies to neutralize and compromise with information security policy. Additionally, constructs from social influences and pressures have been integrated into this model to measure the impact on the intent to violate information security policy from social perspectives. This study is a quantitative study that used a survey methodology for data collection. A stratified sampling method was used to ensure equal representation in the population. A sample of members was collected using a random sampling procedure from each stratum. All data were collected by sending a survey link via email through SurveyMonkey’s participant outreach program to the aforementioned groups. Partial least squares were used for data analysis. Findings showed business and ethical orientation had a negative impact on accepting neutralization techniques which ultimately result in the intent to violate information security policy. Furthermore, this research found neutralization, social influences, and social pressures as having 24 percent of influence to violate information security policy. Business orientation and ethical orientation contributed to 15 percent of influence in variance on employees accepting neutralization techniques. Implications of this research suggest information security policies can be compromised by employees and additional measures are needed. Behavioral analytics may provide an understanding of how employees act and why. Routine training is necessary to help minimize risks, and a healthy security culture will promote information security as a focal point to the organization

The interaction of dark traits with the perceptions of apprehension

This paper integrates dark personality traits with the economics of crime and rational choice theories to identify the role that the Dark Triad and thrill-seeking have on the perceptions of being caught engaging in violating privacy laws. Psychopathy and thrill-seeking had a moderate negative effect on the perceptions of the probability of being apprehended for distributing illegally obtained healthcare information. The implication is that individuals scoring high on the psychopathy and thrill-seeking scales will need less money or monetary incentives to violate HIPAA laws. We also found additional support that white hat hackers score high on the Machiavellian, psychopathy and thrill-seeking scales. We also validated a previous finding that a white hat hacker might drift towards grey hat and black hat hacking

Creating an information systems security culture through an integrated model of employees compliance

Employees’ non-compliance with information systems security policies has been identified as a major threat to organizational data and information systems. This dissertation investigates the process underlying information systems security compliance in organizations with the focus on employees. The process model is complex, comprising many normative, attitudinal, psychological, environmental, and organizational factors. Therefore, the study of information security compliance requires a holistic assessment of all these factors. This dissertation seeks to achieve this objective by offering a comprehensive and integrated model of employee behavior especially focused towards information security compliance. The research framework is influenced by the Reciprocal Determinism Theory which explains individuals psycho-social functioning in terms of triadic reciprocal causation. Several theories explain the role of various factors forming the intellectual puzzle. These are: General Deterrence Theory, Social-Exchange Theory, Social Learning Theory, Expectation-Disconfirmation Theory, Rational Choice Theory, Cognitive Dissonance Theory, Reactance Theory, and Status-Quo Bias Theory. This dissertation makes several significant contributions to literature and to practitioners. Several new factors that influence compliance decisions by employees have been proposed, namely task dissonance, self-policing, word-of-mouth, and habit. For the first time, top management support has been examined as a multi-dimensional construct which provides a better understanding of the phenomenon. Also for the first time, this dissertation constructs a process model to examine the interactions between punishment severity and certainty and top management support and normative factors. It also investigates the interactions between normative and psychological factors, namely resistance and self-policing on information security compliance. This dissertation emphasizes that the practitioners should consider all the relevant factors in order to manage the information security compliance problem. Therefore, it is more useful to think in terms of establishing a security culture that embodies all the relevant factors prevalent in an organization. The dissertation is guided by positivist paradigm. Hypotheses are tested and validated using established quantitative approaches, namely data collection using survey and structural equation modeling. Major findings were derived and most of the dissertation’s hypotheses were supported. The findings are discussed, and the conclusions, significant theoretical and practical implications of the findings, limitations, and recommendations for future research are presented

The Role of Habit in Information Security Behaviors

The purpose of this present study is to understand the role of habit in information security behaviors. The automatic aspect of habit and its impact on secure behavior and the intention-behavior relationship was explored in this dissertation through the lens of protection motivation theory. Three secure behaviors were selected for the investigation after following a rigorous process to identify habitual secure behaviors. The three behaviors that were investigated are: locking the PC when leaving it unattended, verifying the recipient email addresses before sending email and visiting only verified websites. Separate pilot studies were conducted for each of the behaviors followed by a main investigation. Habit was measured with a first-order reflective and second-order formative scale that captured the multidimensional aspects of habit: Lack of Awareness, Uncontrollability and Mental Efficiency. Data were collected for each of the behaviors separately via separate online surveys using Amazon Mechanical-Turk. The results of the data analyses indicate that habit significantly influence the performance of secure behavior while negatively moderating the intention-behavior relationship for each of the three behaviors. The findings also confirm that when certain behaviors are habitual, the cognitive resources needed to make decisions on performing behavior reduce. Several alternate models were analyzed as a part of the post hoc phase of the study. The findings of this study provide several contributions to the IS research and practice. This study investigated the role of habit in an information security context using a second-order formative scale. The findings indicate that habit play a significant role in the performance of secure behaviors and verifies the relationship between intention and behavior in an information security context. The findings provide directions to organizations in understanding habits of their employees and to foster positive habits while breaking negative habits. The findings of this study provide several future research directions and highlight the importance of further exploration of habit in an information security context

Information security burnout: Identification of sources and mitigating factors from security demands and resources

This study examines how information security burnout can develop from complying with organisational security demands, and whether security burnout can be reduced by engaging organisational and personal resources. The Job Demands-Resources model was extended to the IT security context, to develop and empirically test a security burnout model, using a sample of 443 participants in Vietnam. The results demonstrate that security task overload and difficult access to security requirements increased security burnout while dealing with challenging security requirements reduced burnout. Neither organisational resources nor user self-efficacy were effective in reducing burnout. Moreover, simple security tasks did not guarantee a burnout-free experience for users. The findings emphasise the significance of providing resources and designing security tasks as challenging and rewarding experiences, rather than simply reducing user involvement as a source of decreasing cyber security risks. The research establishes a theoretical basis for further studying the phenomenon of security burnout and its role in user security management

The Promise of Behavioral Economics in Local Government: Applications In Public Housing

The emergence of the field of behavioral economics has provided critical insights into the way people behave when confronted with decisions. Traditionally, economic models predict behavior that is economically rational, but behavioral economics has shown how people are often irrational in predictable ways because they are being affected by different biases and heuristics. For policymakers, these insights can show ways in which governments can change their behavior to take advantage of people’s humanity. This paper will show the value of taking these insights to the local level, as local governments provide a number of valuable services and account for the most direct and frequent interaction between citizens and their government. Specifically, this paper will look at the area of public housing in the United States. Public housing has gained a rather notorious reputation in the United States, as government policy and socioeconomic trends have caused public housing to house only the poorest of the poor. Still, public housing accounts for around 1.1 million households across America, and could benefit greatly from behavioral economic approaches to policy. This paper will look at the problems occurring in public housing, match these up to the behavioral “irrationalities” occurring in public housing, before finally providing a series of behavioral interventions which take advantage of these irrationalities to provide better services to public housing residents.Plan II Honors Progra