SMEs' Confidentiality Concerns for Security Information Sharing

Small and medium-sized enterprises are considered an essential part of the EU economy, however, highly vulnerable to cyberattacks. SMEs have specific characteristics which separate them from large companies and influence their adoption of good cybersecurity practices. To mitigate the SMEs' cybersecurity adoption issues and raise their awareness of cyber threats, we have designed a self-paced security assessment and capability improvement method, CYSEC. CYSEC is a security awareness and training method that utilises self-reporting questionnaires to collect companies' information about cybersecurity awareness, practices, and vulnerabilities to generate automated recommendations for counselling. However, confidentiality concerns about cybersecurity information have an impact on companies' willingness to share their information. Security information sharing decreases the risk of incidents and increases users' self-efficacy in security awareness programs. This paper presents the results of semi-structured interviews with seven chief information security officers of SMEs to evaluate the impact of online consent communication on motivation for information sharing. The results were analysed in respect of the Self Determination Theory. The findings demonstrate that online consent with multiple options for indicating a suitable level of agreement improved motivation for information sharing. This allows many SMEs to participate in security information sharing activities and supports security experts to have a better overview of common vulnerabilities. The final publication is available at Springer via https://doi.org/10.1007/978-3-030-57404-8_22Comment: 10 pages, 2 figures, 14th International Symposium on Human Aspects of Information Security & Assurance (HAISA 2020

Volitional Cybersecurity

This dissertation introduces the “Volitional Cybersecurity” (VCS) theory as a systematic way to think about adoption and manage long-term adherence to cybersecurity approaches. The validation of VCS has been performed in small- and medium-sized enterprises or businesses (SMEs/SMBs) context. The focus on volitional activities promotes theoretical viewpoints. Also, it aids in demystifying the aspects of cybersecurity behaviour in heterogeneous contexts that have neither been systematically elaborated in prior studies nor embedded in cybersecurity solutions. Abundant literature demonstrates a lack of adoption of manifold cybersecurity remediations. It is still not adequately clear how to select and compose cybersecurity approaches into solutions for meeting the needs of many diverse cybersecurity-adopting organisations. Moreover, the studied theories in this context mainly originated from disciplines other than information systems and cybersecurity. The constructs were developed based on data, for instance, in psychology or criminology, that seem not to fit properly for the cybersecurity context. Consequently, discovering new methods and theories that can be of help in active and volitional forms of cybersecurity behaviour in diverse contexts may be conducive to a better quality of cybersecurity engagement. This leads to the main research question of this dissertation: How can we support volitional forms of behaviour with a self-paced tool to increase the quality of cybersecurity engagement? The main contribution of this dissertation is the VCS theory. VCS is a cybersecurity-focused theory structured around the core concept of volitional cybersecurity behaviour. It suggests that a context can be classified based on the cybersecurity competence of target groups and their distinct requirements. This classification diminishes the complexity of the context and is predictive of improvement needs for each class. Further, the theory explicates that supporting three factors: A) personalisation, B) cybersecurity competence, and C) connectedness to cybersecurity expertise affect the adoption of cybersecurity measures and better quality of cybersecurity engagement across all classes of the context. Therefore, approaches that ignore the personalisation of cybersecurity solutions, the cybersecurity competence of target groups, and the connectedness of recipients to cybersecurity expertise may lead to poorer acceptance of the value or utility of solutions. Subsequently, it can cause a lack of motivation for adopting cybersecurity solutions and adherence to best practices. VCS generates various implications. It has implications for cybersecurity research in heterogeneous contexts to transcend the common cybersecurity compliance approaches. Building on VCS, researchers could develop interventions looking for volitional cybersecurity behaviour change. Also, it provides knowledge that can be useful in the design of self-paced cybersecurity tools. VCS explains why the new self-paced cybersecurity tool needs specific features. The findings of this dissertation have been subsequently applied to the follow-up project design. Further, it has implications for practitioners and service providers to reach out to the potential end-users of their solutions

Automating the Communication of Cybersecurity Knowledge: Multi-Case Study

Cybersecurity is essential for the protection of companies against cyber threats. Traditionally, cybersecurity experts assess and improve a company's capabilities. However, many small and medium-sized businesses (SMBs) consider such services not to be affordable. We explore an alternative do-it-yourself (DIY) approach to bringing cybersecurity to SMBs. Our method and tool, CYSEC, implements the Self-Determination Theory (SDT) to guide and motivate SMBs to adopt good cybersecurity practices. CYSEC uses assessment questions and recommendations to communicate cybersecurity knowledge to the end-user SMBs and encourage self-motivated change. In this paper, the operationalisation of SDT in CYSEC is presented and the results of a multi-case study shown that offer insight into how SMBs adopted cybersecurity practices with CYSEC. Effective automated cybersecurity communication depended on the SMB's hands-on skills, tools adaptedness, and the users' willingness to documenting confidential information. The SMBs wanted to learn in simple, incremental steps, allowing them to understand what they do. An SMB's motivation to improve security depended on the fitness of assessment questions and recommendations with the SMB's business model and IT infrastructure. The results of this study indicate that automated counselling can help many SMBs in security adoption. The final publication is available at Springer via https://link.springer.com/chapter/10.1007%2F978-3-030-59291-2_8Comment: 14 pages, 1 figure, 13th World Conference on Information Security Educatio

Development of Criteria for Mobile Device Cybersecurity Threat Classification and Communication Standards (CTC&CS)

The increasing use of mobile devices and the unfettered access to cyberspace has introduced new threats to users. Mobile device users are continually being targeted for cybersecurity threats via vectors such as public information sharing on social media, user surveillance (geolocation, camera, etc.), phishing, malware, spyware, trojans, and keyloggers. Users are often uninformed about the cybersecurity threats posed by mobile devices. Users are held responsible for the security of their device that includes taking precautions against cybersecurity threats. In recent years, financial institutions are passing the costs associated with fraud to the users because of the lack of security. The purpose of this study was to design, develop, and empirically test new criteria for a Cybersecurity Threats Classification and Communication Standard (CTC&CS) for mobile devices. The conceptual foundation is based on the philosophy behind the United States Occupational Safety and Health Administration (OSHA)’s Hazard Communication Standard (HCS) of Labels and Pictograms that is mainly focused on chemical substances. This study extended the HCS framework as a model to support new criteria for cybersecurity classification and communication standards. This study involved three phases. The first phase conducted two rounds of the Delphi technique and collected quantitative data from 26 Subject Matter Experts (SMEs) in round one and 22 SMEs in round two through an anonymous online survey. Results of Phase 1 emerged with six threats categories and 62 cybersecurity threats. Phase 2 operationalized the elicited and validated criteria into pictograms, labels, and safety data sheets. Using the results of phase one as a foundation, two to three pictograms, labels, and safety data sheets (SDSs) from each of the categories identified in phase one were developed, and quantitative data were collected in two rounds of the Delphi technique from 24 and 19 SMEs respectively through an online survey and analyzed. Phase 3, the main data collection phase, empirically evaluated the developed and validated pictograms, labels, and safety data sheets for their perceived effectiveness as well as performed an analysis of covariance (ANCOVA) with 208 non-IT professional mobile device users. The results of this study showed that pictograms were highly effective; this means the participants were satisfied with the characteristics of the pictograms such as color, shapes, visual complexity, and found these characteristics valuable. On the other hand, labels and Safety Data Sheets (SDS) did not show to be effective, meaning the participants were not satisfied or lacked to identify importance with the characteristics of labels and SDS. Furthermore, the ANCOVA results showed significant differences in perceived effectiveness with SDSs with education and a marginal significance level with labels when controlled for the number of years of mobile device use. Based on the results, future research implications can observe discrepancies of pictogram effectiveness between different educational levels and reading levels. Also, research should focus on identifying the most effective designs for pictograms within the cybersecurity context. Finally, longitudinal studies should be performed to understand the aspects that affect the effectiveness of pictograms

Information security frameworks assisting GDPR compliance in bank industry

In the last years, with the consequent increase use of Information Technology (IT) by the population, we watched an increase in the collection and processing of data by the organizations, for various purposes, such as for example the necessary provision of services or marketing campaigns. As a result of the increase of data, there have been several attempts to steal the data to sell or request redemptions from organizations. This situation has shown that organizations as regards data protection and security do not all have the same degree of maturity, and a determining aspect is also that the existing legislation is not the most adequate for the level of IT use in the days of today. To address these issues, the European Union (EU) decided to create the General Data Protection Regulation (GDPR), which entered into force on May 25, 2018, applicable to all organizations dealing with personal data of citizens residing in the European Union. In effect, the organizations combine all their efforts for the implementation of this new regulation, so that fines for non-compliance are not applied. Based on the previous description and with base on a set of best practices and existing frameworks of information security existent currently in the market, this thesis aims to explore how can current IS frameworks help Banks comply with GDPR by mapping the requirements of the regulation with the practices of the frameworks. In a second phase, interviews will be conducted with professionals in the field, in a specific sector where there is more sensitivity for these topics, the bank industry.Nos últimos anos com o consequente aumento do uso de Tecnologias de Informação (TI) pela população, assistimos a um aumento da recolha e tratamento dos dados por parte das organizações, destinando-se a diversos fins, como por exemplo, para a necessária prestação de serviços ou campanhas de marketing. Como consequência do aumento de dados, têm existido diversas tentativas de roubo dos mesmos para se vender ou pedir resgates às organizações. Esta situação tem revelado que as organizações no que respeita à segurança e proteção de dados nem todas têm o mesmo grau de maturidade, sendo que um aspeto também determinante é a legislação existente não ser a mais adequada para o nível de utilização das TI nos dias de hoje. Para colmatar estas falhas a União Europeia (UE) decidiu criar o Regulamento Geral de Proteção de Dados (RGPD), com entrada em vigor a 25 de maio de 2018, aplicável a todos as organizações que tratam dados pessoais de cidadãos residentes na União Europeia (EU). Com efeito as organizações conjugam todos os seus esforços para a implementação deste novo regulamento, de forma a que não sejam aplicadas multas por incumprimento ao mesmo. À imagem do que foi descrito anteriormente e com base num conjunto de boas práticas e frameworks existentes sobre segurança da informação atualmente no mercado, esta tese propõe explorar como os frameworks de segurança da informação podem ajudar os bancos a cumprir com o RGPD, através do mapeamento dos requisitos do regulamento com as práticas dos frameworks. Numa segunda fase realizar-se-á entrevistas com responsáveis na matéria, num setor específico onde existe mais sensibilidade no que toca a estes temas, o setor da banca

The Impact of Quality Standards on the Business Performance of Small, Medium and Micro-Sized Enterprises in Kwazulu-Natal: Selected Cases in the Durban Metropolitan Area

In the last decade, scholars showed an interest in alluding to compliance as a necessity to support small business performance in the last decades. Over the years, organisations have been frequently criticised for failing to comply with the quality standards such as the South African National Standards (SANS) 9001/ISO 9001 require effective implementation of Quality Management Systems and SANS 342, which provides specifications for diesel fuel products. Quality standards matrix adopted by the South African Bureau of Standards (SABS) is frequently used as a set of detailed specifications, requirements, various guidelines and characteristics to assure that the product, service or process is fit for purpose. Even though public and semi-autonomous institutions understand the value of subscribing and complying with quality standards, there is still a gap in the literature regarding the enforcement and compliance of quality standards in small business practices. There is a relationship between the adoption of quality standards and business excellence. Government can tap on the competitiveness of small, medium and micro-sized enterprises (SMMEs) and address their challenges and barriers that limit SMMEs to acquisition and compliance of statutory quality management systems

An Empirical Assessment of Users\u27 Information Security Protection Behavior towards Social Engineering Breaches

User behavior is one of the most significant information security risks. Information Security is all about being aware of who and what to trust and behaving accordingly. Due to technology becoming an integral part of nearly everything in people\u27s daily lives, the organization\u27s need for protection from security threats has continuously increased. Social engineering is the act of tricking a user into revealing information or taking action. One of the riskiest aspects of social engineering is that it depends mainly upon user errors and is not necessarily a technology shortcoming. User behavior should be one of the first apprehensions when it comes to social engineering. Unfortunately, there are few specific studies to understand factors that affect users\u27 information security protection behavior towards social engineering breaches. The focus of the information security literature is shifting from technology to user behavior in recent times. SETA (Security Education Training Awareness) program aids organizations in teaching their users about information security issues and expectations to prevent information security breaches. Information security policies depict the rules and regulations that everyone must follow utilizing an organization\u27s information technology resources. This research study used Protection Motivation Theory (PMT) combined with the SETA program and security policies to determine factors that affect users\u27 information security protection behavior towards social engineering breaches. This research study was an empirical and quantitative study to congregate data utilizing a web survey and PLS-SEM (Partial Least Squares Structural Equation Modeling) technique. As a result, the research study supported all three hypotheses associated with fear, including a positive impact of perceived severity on fear, perceived vulnerability on fear, and fear on protection motivation. Moreover, the research study substantiated the positive impact of perceived severity, perceived vulnerability, and response efficacy on protection motivation. Furthermore, the research study also confirmed the positive impact of protection motivation and the SETA program on protection behavior. The findings of this research study derived that, unswerving with the literature, social engineering has arisen as one of the biggest threats in information security. This research study explored factors impacting users\u27 information security protection behavior towards social engineering breaches. Support of all hypotheses for fear appeal is a substantial contribution in view of a lesser-researched fear appeal in preceding research using PMT. This research study provided the groundwork for encouraging and nurturing users\u27 information security protection behavior to prevent social engineering breaches. Finally, this research study contributes to the increasing phenomenon of social engineering in practice and future research