Assessing the Presence of Mindfulness within Cyber and Non-Cybersecurity groups

Corporations and individuals continue to be under Phishing attack. Researchers categorizes methods corporations and individuals can employ to reduce the impact of being caught in a Phishing scheme. Corporation enable technical mechanisms such as automated filtering, URL blacklisting, and manipulation of browser warning messages to reduce phishing susceptibility costing billions of dollars annually. However, even with robust efforts to educate employees about phishing techniques through security awareness training the abundance of attacks continues to plague organizations. This study aims to identify whether a correlation exists between mindfulness and phishing susceptibility. The goal of this research is to determine if mindful individuals are less susceptible to phishing. By showing individuals with increased awareness are significantly able to identify areas that phishing attempts exploit. Based on a review of the literature a misconception exists between end-users, corporation and Internet Service Providers (ISP) regarding ownership of Phishing identification. Specifically, individuals blame ISPs and corporate information technology departments for failing to protect them from Phishing attacks. Still, the truth of the matter is that the end-user is ultimately the weakest link in the phishing identification chain. The methodology of this study polled participants through initial screening focusing on whether the individuals were mindful using the Mindful Attention Awareness Scale (MAAS) survey. Conclusions seen in this study in contrast with other studies saw no significant correlation between Mindfulness and phishing susceptibility, increase in cogitative ability or increase in Phishing identification. Thus, continued use of MAAS survey questionnaire is necessary to screen other groups for phishing awareness prior to focusing on other phishing cues

The Informed Human Firewall: The Impact of Knowledge Dimensions on Employees\u27 Secure Behavior

Organizations implement a variety of knowledge mechanisms such as information security education, training, and awareness (SETA) programs and information security policies to influence employees’ secure behavior. However, skills gained through these knowledge mechanisms have not always translated to secure behavior. Protection motivation theory (PMT) is a widely used and accepted theory in information security behavioral research. Nevertheless, information security research has not examined the impact of knowledge mechanisms on PMT psychological processes. This study explains the key psychological processes that influence employees’ secure behavior and seeks to understand how organizational knowledge mechanisms influence these key psychological processes that form threats perceptions. Drawing on the knowledge management literature, the impact of knowledge mechanisms on users’ threat perceptions was conceptualized and examined across three knowledge dimensions: breadth, depth, and finesse. The research also applied construal level theory (CLT) to provide a means to measure the psychological constructs of PMT from an individual’s perspective. The research conceptualizes the PMT psychological process based on the threat un-desirability and coping feasibility. The four dimensions of the psychological distance from CLT (temporal, social, spatial, and hypothetical) formed the threat un-desirability while response efficacy and difficulty formed the coping feasibility construct. This study empirically tested the model using a multi-method approach. The first method used an experiment with 262 students to validate the CLT driven constructs and its impact on protection motivation. The second study tested the overall model, including knowledge mechanisms dimensions, across a sample of 219 industry professionals. The theoretical model was tested using a structural equation modeling (SEM) approach. Results show support that the psychological distance from the threat allows employees to perceive the personal impact of the threat. Results also support that the key psychological constructs, threat un-desirability and coping feasibility, influence employees behavioral choices. This research offers noteworthy contributions to the literature. It provides a greater understanding of the role of knowledge dimensions to motivate compliance. The research also presented an improved model that preserves the original intent of PMT in the context information security. Finally, the research presented a generalizable and practical business approach to a traditionally technical topic. Keywords: Information security, secure behavior, compliance, construal level theory, knowledge dimensions, protection motivation, security policies, security education and training awareness, SETA programs, information security threats

An Empirical Assessment of Users\u27 Information Security Protection Behavior towards Social Engineering Breaches

User behavior is one of the most significant information security risks. Information Security is all about being aware of who and what to trust and behaving accordingly. Due to technology becoming an integral part of nearly everything in people\u27s daily lives, the organization\u27s need for protection from security threats has continuously increased. Social engineering is the act of tricking a user into revealing information or taking action. One of the riskiest aspects of social engineering is that it depends mainly upon user errors and is not necessarily a technology shortcoming. User behavior should be one of the first apprehensions when it comes to social engineering. Unfortunately, there are few specific studies to understand factors that affect users\u27 information security protection behavior towards social engineering breaches. The focus of the information security literature is shifting from technology to user behavior in recent times. SETA (Security Education Training Awareness) program aids organizations in teaching their users about information security issues and expectations to prevent information security breaches. Information security policies depict the rules and regulations that everyone must follow utilizing an organization\u27s information technology resources. This research study used Protection Motivation Theory (PMT) combined with the SETA program and security policies to determine factors that affect users\u27 information security protection behavior towards social engineering breaches. This research study was an empirical and quantitative study to congregate data utilizing a web survey and PLS-SEM (Partial Least Squares Structural Equation Modeling) technique. As a result, the research study supported all three hypotheses associated with fear, including a positive impact of perceived severity on fear, perceived vulnerability on fear, and fear on protection motivation. Moreover, the research study substantiated the positive impact of perceived severity, perceived vulnerability, and response efficacy on protection motivation. Furthermore, the research study also confirmed the positive impact of protection motivation and the SETA program on protection behavior. The findings of this research study derived that, unswerving with the literature, social engineering has arisen as one of the biggest threats in information security. This research study explored factors impacting users\u27 information security protection behavior towards social engineering breaches. Support of all hypotheses for fear appeal is a substantial contribution in view of a lesser-researched fear appeal in preceding research using PMT. This research study provided the groundwork for encouraging and nurturing users\u27 information security protection behavior to prevent social engineering breaches. Finally, this research study contributes to the increasing phenomenon of social engineering in practice and future research

Mobile Identity Protection: The Moderation Role of Self-Efficacy

The rapid growth of mobile applications and the associated increased dependency on digital identity raises the growing risk of identity theft and related fraud. Hence, protecting identity in a mobile environment is a problem. This study develops a model that examines the role of identity protection self-efficacy in increasing users’ motivation intentions to achieve actual mobile identity protection. Our research found that self-efficacy significantly affects the relationship between users’ perceived threat appraisal and their motivational intentions for identity protection. The relation between mobile users’ protection, motivational intentions, and actual mobile identity protection actions was also found to be significant. Additionally, the findings revealed the considerable impact of awareness in fully mediating between self-efficacy and actual identity protection. The model and its hypotheses are empirically tested through a survey of 383 mobile users, and the findings are validated through a panel of experts, thus confirming the impact of self-efficacy on an individual’s identity protection in the mobile context

Cybersecurity Strategies for Universities With Bring Your Own Device Programs

The bring your own device (BYOD) phenomenon has proliferated, making its way into different business and educational sectors and enabling multiple vectors of attack and vulnerability to protected data. The purpose of this multiple-case study was to explore the strategies information technology (IT) security professionals working in a university setting use to secure an environment to support BYOD in a university system. The study population was comprised of IT security professionals from the University of California campuses currently managing a network environment for at least 2 years where BYOD has been implemented. Protection motivation theory was the study\u27s conceptual framework. The data collection process included interviews with 10 IT security professionals and the gathering of publicly-accessible documents retrieved from the Internet (n = 59). Data collected from the interviews and member checking were triangulated with the publicly-accessible documents to identify major themes. Thematic analysis with the aid of NVivo 12 Plus was used to identify 4 themes: the ubiquity of BYOD in higher education, accessibility strategies for mobile devices, the effectiveness of BYOD strategies that minimize risk, and IT security professionals\u27 tasks include identifying and implementing network security strategies. The study\u27s implications for positive social change include increasing the number of users informed about cybersecurity and comfortable with defending their networks against foreign and domestic threats to information security and privacy. These changes may mitigate and reduce the spread of malware and viruses and improve overall cybersecurity in BYOD-enabled organizations

Cybersecurity Strategies for Universities With Bring Your Own Device Programs

The bring your own device (BYOD) phenomenon has proliferated, making its way into different business and educational sectors and enabling multiple vectors of attack and vulnerability to protected data. The purpose of this multiple-case study was to explore the strategies information technology (IT) security professionals working in a university setting use to secure an environment to support BYOD in a university system. The study population was comprised of IT security professionals from the University of California campuses currently managing a network environment for at least 2 years where BYOD has been implemented. Protection motivation theory was the study\u27s conceptual framework. The data collection process included interviews with 10 IT security professionals and the gathering of publicly-accessible documents retrieved from the Internet (n = 59). Data collected from the interviews and member checking were triangulated with the publicly-accessible documents to identify major themes. Thematic analysis with the aid of NVivo 12 Plus was used to identify 4 themes: the ubiquity of BYOD in higher education, accessibility strategies for mobile devices, the effectiveness of BYOD strategies that minimize risk, and IT security professionals\u27 tasks include identifying and implementing network security strategies. The study\u27s implications for positive social change include increasing the number of users informed about cybersecurity and comfortable with defending their networks against foreign and domestic threats to information security and privacy. These changes may mitigate and reduce the spread of malware and viruses and improve overall cybersecurity in BYOD-enabled organizations

In Quest of information security in higher education institutions : security awareness, concerns and behaviour of students

Humans, often suggested as the weakest link in information security, require security education, training and awareness (SETA) programs to strengthen themselves against information security threats. These SETA programs improve security awareness (also called information security awareness or ISA) which makes users conscious about the information security threats and risks and motivates them to learn knowledge and measures to safeguard their information security. Studies have shown that most of the SETA programs do not achieve their desired objectives and been proven ineffective. This ineffectiveness is probably because: 1) current SETA programs are designed as a one-fits-all solution and are not tailored as per users’ needs, 2) users are not included in the design phase of the SETA programs and 3) the SETA programs lack theory-grounded approaches. Nonetheless, the relationship between ISA and security behaviour also needs explanation. This thesis sets out to address the issues mentioned above. In this thesis, four separate studies grounded in both quantitative and qualitative methods are conducted. Cross-sectional data from students of a single case was collected using online surveys, with one exception in which data was collected as part of a class assignment. The results showed that, in general, students believed they know more than they actually did. The impacts of gender, previous training, and educational discipline were evident on security knowledge, behaviour, perceived awareness and actual awareness. Students have a wide range of security concerns, related to their personal, social, technological, non-technological and institutional dimensions of everyday life, and not just technological and non-technological aspects as shown in the existing literature. Further, students differ significantly from security experts in terms of their security practices. However, aware students (having training in information security) were more similar in security practices to security experts than the unaware students (having no formal or informal information security training). Lastly, it was found that the relationship between ISA and security behaviour can be explained using Information-Motivation-Behavioural Skills (IMB) model. The research presented in this thesis has implications for faculty members who teach students and the security professionals responsible for information security of higher education institutions.Ihminen mielletään usein tietoturvan heikoimmaksi lenkiksi. Jotta tietoturvauhkilta osattaisiin suojautua, tarvitaan erillistä tietoturvakoulutusta, -harjoitusta sekä -tietoisuutta. Erilaiset tietoturvakoulutukset lisäävät henkilön tietoisuutta erilaisista tietoturvauhkista ja -riskeistä sekä motivoivat oppimaan tapoja ja toimenpiteitä, jotka parantavat henkilökohtaista tietoturvaa. Tutkimuksissa on kuitenkin ilmennyt, että useimmat tietoturvakoulutukset eivät saavuta toivottuja tavoitteita, ja ne ovatkin osoittautuneet tehottomiksi. Tehottomuus johtuu todennäköisesti siitä, että (1) koulutuksia ei ole räätälöity käyttäjien tarpeiden mukaisiksi vaan yleisluontoisiksi, (2) käyttäjiä ei ole otettu mukaan koulutusten suunnitteluun, ja (3) koulutuksilta puuttuvat teoriapohjaiset lähestymistavat. Tässä väitöskirjassa tutkitaan yllä mainittuja epäkohtia ja selvitetään ihmisen tietoturvakäyttäytymisen ja -tietoisuuden suhdetta. Väitöskirjassa esitetyt tulokset saavutettiin tekemällä neljä erillistä tutkimusta kvantitatiivisin (määrällisin) ja kvalitatiivisin (laadullisin) menetelmin. Tietoa kerättiin tutkimusten kohteina olleilta opiskelijoilta verkkokyselyillä, paitsi yhdessä tapauksessa, jossa kysely toteutettiin osana kurssitehtävää. Tulokset osoittavat, että yleisesti opiskelijat mielsivät tietävänsä enemmän kuin todellisuudessa tiesivät. Sukupuolella, aiemmalla koulutuksella ja tieteenalalla oli selkeä vaikutus vastaajien tietoturvakäytökseen - sekä miellettyyn että varsinaiseen tietoisuuteen. Opiskelijoilla on monenlaisia tietoturvaan liittyviä huolenaiheita, jotka liittyvät persoonallisiin, sosiaalisiin, teknologisiin, ei-teknologisiin sekä arkisiin ulottuvuuksiin. Tämä poikkeaa nykyisen kirjallisuuden näkemyksestä, joka käsittää vain teknologisen ja ei-teknologisen ulottuvuuden. Opiskelijat eroavat merkittävästi tietoturvaasiantuntijoista tietoturvakäytäntöjensä suhteen. Tietoturvakoulutusta saaneet, tietoisemmat opiskelijat olivat käyttäytymiseltään lähempänä tietoturva-asiantuntijoita kuin vähemmän tietoiset ja vähemmän koulutusta aiheesta saaneet opiskelijat. Tutkimuksessa kävi ilmi myös, että tietoturvatietoisuuden ja -käyttäytymisen välistä suhdetta voidaan selittää käyttäen IMB-mallia (Information-Motivation- Behavioural Skills model). Tässä väitöskirjassa esitetty tutkimus ja sen tulokset ovat korkeakoulujen opetushenkilöstön ja tietoturvasta vastaavien ammattilaisten suoraan hyödynnettävissä

TECHNOLOGY THREAT AVOIDANCE FACTORS AS PREDICTORS OF RISKY CYBERSECURITY BEHAVIOR WITHIN THE ENTERPRISE

Recent research of information technology (IT) end-user cybersecurity-related risky behaviors has focused on items such as IT user decision-making, impulsiveness, and internet use as predictors of human cyber vulnerability. Theories which guide user human behavioral intent, such as protection motivation theory (PMT, introduced by Rogers, 1975) and technology threat avoidance theory (TTAT, introduced by Liang and Xue, 2009) have not been widely investigated as antecedents of risky cybersecurity behavior (RScB). This dissertation describes exploratory research that analyzed and evaluated PMT/TTAT factors as predictors of RScB by enterprise IT users. This work uniquely contributes to the literature by investigating associations between accepted behavioral motivation models and RScB. Findings are intended to provide human resource development (HRD) practitioners and researchers innovative techniques to identify factors which may compel enterprise IT users to avoid risky cybersecurity behaviors in the workplace. Findings, based on survey responses by 184 working professionals in the United States, were largely consistent with previous TTAT-focused works. New insights arose regarding the predictive impact of perceived cost as a predictor of RScB (p = .003) with small-to-medium effect sizes. Predictability was further leveraged using discriminant analysis to predict RScB category membership derived from k-means clustering. Significant outcomes were noted with practical utility. An overarching goal of this study was to more fully inform the HRD community of scholar-practitioners of the urgent need to design, deliver, implement, and evaluate initiatives that could be utilized to diminish inappropriate and costly cybersecurity behaviors in various workplace environments

Refining the Threat Calculus of Technology Threat Avoidance Theory

The number of people using fitness devices and mobile health applications creates unprecedented amounts of health-related fitness data. In the United States, healthcare regulations do not consider the data that these devices collect as protected health information when no covered entity is involved; therefore, the law does not provide such data with the same legal protections as an individual’s health records. Thus, users must ensure that they keep their data safe from potential data breaches and malicious activities. In this study, we analyze users’ motivations to implement safeguards to protect their private health-related fitness data. To test user motivation, we issued wearable activity tracking devices and an associated online health fitness data account to students. We instructed the students about how to use the fitness device and how the device connected to the user’s phone and Web-based application. We then had them complete a survey to determine how they form their threat perceptions and other factors influencing their avoidance motivations for computer-security incidents. With the exception of safeguard cost and privacy concerns, results support a revised threat calculus in the TTAT model and the original model constructs