Enhancing the Conventional Information Security Management Maturity Model (ISM3) in Resolving Human Factors in Organization Information Sharing

Information sharing in organization has been considered as an important approach in increasing organizational efficiency, performance and decision making. With the present and advances in information and communication technology, sharing information and exchanging of data across organizations has become more feasible in organization. However, information sharing has been a complex task over the years and identifying factors that influence information sharing across organization has becomes crucial and critical. Researchers have taken several methods and approaches to resolve problems in information sharing at all levels without a lasting solution, as sharing is best understood as a practice that reflects behavior, social, economic, legal and technological influences. Due to the limitation of the conventional ISM3 standards to address culture, social, legislation and human behavior, the findings in this paper suggest that, a centralized information structure without human practice, distribution of information and coordination is not effective. This paper reviews the previous information sharing research, outlines the factors affecting information sharing and the different practices needed to improve the management of information security by recommending several combinations of information security and coordination mechanism for reducing uncertainty during sharing of information .This thesis proposes information security management protocol (ISMP) as an enhancement towards ISM3 to resolve the above problems. This protocol provides a means for practitioners to identify key factors involved in successful information sharing....

Security awareness and affective feedback:categorical behaviour vs. reported behaviour

A lack of awareness surrounding secure online behaviour can lead to end-users, and their personal details becoming vulnerable to compromise. This paper describes an ongoing research project in the field of usable security, examining the relationship between end-user-security behaviour, and the use of affective feedback to educate end-users. Part of the aforementioned research project considers the link between categorical information users reveal about themselves online, and the information users believe, or report that they have revealed online. The experimental results confirm a disparity between information revealed, and what users think they have revealed, highlighting a deficit in security awareness. Results gained in relation to the affective feedback delivered are mixed, indicating limited short-term impact. Future work seeks to perform a long-term study, with the view that positive behavioural changes may be reflected in the results as end-users become more knowledgeable about security awareness

Are we predisposed to behave securely? Influence of risk disposition on individual security behaviors

Employees continue to be the weak link in organizational security management and efforts to improve the security of employee behaviors have not been as effective as hoped. Researchers contend that security-related decision making is primarily based on risk perception. There is also a belief that, if changed, this could improve security-related compliance. The extant research has primarily focused on applying theories that assume rational decision making e.g. protection motivation and deterrence theories. This work presumes we can influence employees towards compliance with information security policies and by means of fear appeals and threatened sanctions. However, it is now becoming clear that security-related decision making is complex and nuanced, not a simple carrot- and stick-related situation. Dispositional and situational factors interact and interplay to influence security decisions. In this paper, we present a model that positions psychological disposition of individuals in terms of risk tolerance vs. risk aversion and proposes research to explore how this factor influences security behaviors. We propose a model that acknowledges the impact of employees' individual dispositional risk propensity as well as their situational risk perceptions on security-related decisions. It is crucial to understand this decision-making phenomenon as a foundation for designing effective interventions to reduce such risk taking. We conclude by offering suggestions for further research.</p

“This is the way ‘I’ create my passwords ...":does the endowment effect deter people from changing the way they create their passwords?

The endowment effect is the term used to describe a phenomenon that manifests as a reluctance to relinquish owned artifacts, even when a viable or better substitute is offered. It has been confirmed by multiple studies when it comes to ownership of physical artifacts. If computer users also "own", and are attached to, their personal security routines, such feelings could conceivably activate the same endowment effect. This would, in turn, lead to their over-estimating the \value" of their existing routines, in terms of the protection they afford, and the risks they mitigate. They might well, as a consequence, not countenance any efforts to persuade them to adopt a more secure routine, because their comparison of pre-existing and proposed new routine is skewed by the activation of the endowment effect.In this paper, we report on an investigation into the possibility that the endowment effect activates when people adopt personal password creation routines. We did indeed find evidence that the endowment effect is likely to be triggered in this context. This constitutes one explanation for the failure of many security awareness drives to improve password strength. We conclude by suggesting directions for future research to confirm our findings, and to investigate the activation of the effect for other security routines

Why do People Adopt, or Reject, Smartphone Security Tools?

A large variety of security tools exist for Smartphones, to help their owners to secure the phones and prevent unauthorised others from accessing their data and services. These range from screen locks to antivirus software to password managers. Yet many Smartphone owners do not use these tools despite their being free and easy to use. We were interested in exploring this apparent anomaly. A number of researchers have applied existing models of behaviour from other disciplines to try to understand these kinds of behaviours in a security context, and a great deal of research has examined adoption of screen locking mechanisms. We review the proposed models and consider how they might fail to describe adoption behaviours. We then present the Integrated Model of Behaviour Prediction (IMBP), a richer model than the ones tested thus far. We consider the kinds of factors that could be incorporated into this model in order to understand Smartphone owner adoption, or rejection, of security tools. The model seems promising, based on existing literature, and we plan to test its efficacy in future studies

Assessing the impact of affective feedback on end-user security awareness

A lack of awareness regarding online security behaviour can leave users and their devices vulnerable to compromise. This paper highlights potential areas where users may fall victim to online attacks, and reviews existing tools developed to raise users’ awareness of security behaviour. An ongoing research project is described, which provides a combined monitoring solution and affective feedback system, designed to provide affective feedback on automatic detection of risky security behaviour within a web browser. Results gained from the research conclude an affective feedback mechanism in a browser-based environment, can promote general awareness of online security