To Fear or Not to Fear? A Critical Review and Analysis of Fear Appeals in the Information Security Context

Controlling organizational insiders’ security behaviors is an important management concern. Research presents fear appeals as a viable security control to promote protective security behaviors. To date, research has proven security-related fear appeals have to effectively control insiders’ security behaviors. However, from critically examining fear appeals, we find a different story. Specifically, we critically analyze security-related fear appeal research from two ontological positions: critical realism and critical constructivism. The critical realist analysis identifies several issues with existing fear appeal research, which particular research traditions may cause. We explicate these traditions and issues in the paper. The critical constructivist analysis draws on critical management studies of control and Foucault’s work to identify the identities, beliefs, and values that fear appeals promote and the ways in which fear appeals create discursive closures that limit the consideration and discussion of other positions. Based on the two analyses, we provide important directions for future fear appeal research

Building General Knowledge of Mechanisms in Information Security

We show how more general knowledge can be built in information security, by the building of knowledge of mechanism clusters, some of which are multifield. By doing this, we address in a novel way the longstanding philosophical problem of how, if at all, we come to have knowledge that is in any way general, when we seem to be confined to particular experiences. We also address the issue of building knowledge of mechanisms by studying an area that is new to the mechanisms literature: the methods of what we shall call mechanism discovery in information security. This domain offers a fascinating novel constellation of challenges for building more general knowledge. Specifically, the building of stable communicable mechanistic knowledge is impeded by the inherent changeability of software, which is deployed by malicious actors constantly changing how their software attacks, and also by an ineliminable secrecy concerning the details of attacks not just by attackers (black hats), but also by information security defenders (white hats) as they protect their methods from both attackers and commercial competitors. We draw out ideas from the work of the mechanists Darden, Craver, and Glennan to yield an approach to how general knowledge of mechanisms can be painstakingly built. We then use three related examples of active research problems from information security (botnets, computer network attacks, and malware analysis) to develop philosophical thinking about building general knowledge using mechanisms, and also apply this to develop insights for information security. We show that further study would be instructive both for practitioners (who might welcome the help in conceptualizing what they do) and for philosophers (who will find novel insights into building general knowledge of a highly changeable domain that has been neglected within philosophy of science)

Crafting Organizational Information Security Policies

An organizational information security policy (InfoSec policy) is a directiongiving instrument for information security within an organization that seeks to communicate an organization’s posture in protecting its information assets. Researchers and practitioners alike agree that an InfoSec policy has a foundational role in securing an organization’s information assets. In an era where information is a precious resource and information security breaches are ever more prevalent, developing such a policy has become even more crucial for organizations.The importance of an InfoSec policy has resulted in scholarly research on the policy’s contents and structure, and on the means to promote employee compliance to the set policies. In regards to policy development, research has privileged abstractions – abstract methods and procedures policy development should follow. By emphasizing such abstractions, research has paid less attention to how policies are crafted in practice.Therefore, the purpose of this dissertation, which consists of a compendium of articles, is to increase our understanding of the crafting of InfoSec policies. Theoretically, the dissertation draws on practice theory, which takes orderly social and materially mediated doings and sayings (“practices”) as an arena for studying organizational phenomena. Empirically, the dissertation includes three qualitative studies: two ethnographic studies on InfoSec policy crafting and one case study on the implications of the crafting to policy compliance. Empirical material includes participant and non-participant observation, documentary sources, and semistructured interviews.The dissertation contributes to the literature on information security management. The primary contribution of this dissertation is the conceptualization of InfoSec policy crafting as emerging in the lived contradictions between the international information security best practices and the local organizational practices. More broadly, the dissertation contributes to research on InfoSec policy development by positing that to understand policy crafting requires deep engagement with the actors who participate in the policy crafting and with the field where the policy is crafted. Further, the dissertation contributes to discussions on policy compliance by suggesting that compliance should be considered as partly emerging from and through the practices of the policy crafting and as relational to them. The potential for developing the policy as a joint engagement with different organizational members should not be underestimated.The argument developed in this dissertation is that both organizations and research should place more emphasis on the practical accomplishment of InfoSec policy crafting. InfoSec policy development is not about following a rote procedure, but is a practical, joined, and skilled accomplishment – a craft. Policy crafting influences what is included in and excluded from the policy and how the policy will be complied with

Strategies for the Reduction of Cybersecurity Breaches in Hospitals

AbstractRecent cyberattacks in hospitals show the urgency of the need to enhance secure information technology (IT) infrastructure. Hospitals are statistically more at cyber risk than all the multiple industries against ransomware, malware, hacking and internal threats. Guided by routine activity theory, the purpose of this exploratory multiple case study was to explore strategies utilized by hospitals\u27 IT security managers to reduce cybersecurity breaches associated with sensitive data. The participants were nine IT security managers from hospitals in the eastern United States. Data were collected via semistructured interviews and supporting documentation from the consenting participants and hospitals\u27 websites. Through thematic analysis, seven core themes emerged: (a) ensure adherence to top cybersecurity framework, (b) implement adequate and effective cybersecurity controls, (c) conduct a regular cybersecurity risk assessment, (d) maintain an air gap technique backup, (e) cultivate security awareness culture, (f) encrypt all data at rest and in transit, and (g) keep abreast with cybersecurity news and risks. A key recommendation for IT security managers is to utilize the maintenance of regularly updated backup as a crucial tactic for reducing exposure to cybercriminals. The implication for positive social change includes the potential to increase patients\u27 trust and reduce the threat to human life

Obstacles With Data Security: Strategies From Carolina Universities

Some university data custodians lack information security strategies to prevent data security breaches. Reducing duplicitous use of personally identifiable information (PII) obtained maliciously from colleges and universities should be important to university data custodians, IT leadership of all levels, state legislators, and individuals that have an interest in moving into the cybersecurity space in higher education. Grounded in general systems theory, the purpose of this multiple qualitative case study was to examine information security strategies that university data custodians use to protect PII collected from staff, students, and other stakeholders. The participants consisted of 15 college and university data custodians in North Carolina and South Carolina, who implemented security strategies. Semistructured virtual interviews were used to collect data. The verbatim transcripts were analyzed using thematic analysis in conjunction with Teschâs data coding process then compared to current literature as a control. There were 5 key emergent themes (a) adaptive security measures, (b) necessity for buy-in resources, or both (c) proper management and personnel, (d) requirements based on state/industry regulations, and (e) security education training and awareness. University data custodians should implement, promote, and monitor comprehensive information security strategies to protect university PII. The implications for positive social change include potential leadership awareness to protect university PII and minimize the adverse effects of a data breach

The Effects of Computer Crimes on the Management of Disaster Recovery

The effects of a technology disaster on an organization can include a prolonged disruption, loss of reputation, monetary damages, and the inability to remain in business. Although much is known about disaster recovery and business continuance, not much research has been produced on how businesses can leverage other technology frameworks to assist information technology disaster recovery. The problem was the lack of organizational knowledge to recover from computer crime interruptions given the maturity level of existing disaster recovery programs. The purpose of this Delphi study was to understand how disaster recovery controls and processes can be modified to improve response to a computer crime caused business interruption. The overarching research question in this study was to understand what factors emerge relative to the ability of disaster recovery programs to respond to disasters caused by computer crimes. The conceptual framework included a maturity model to look at how programs might be improved to respond to the computer crimes threat. Research data were collected from a 3 round Delphi study of 22 disaster recovery experts in the fields of disaster recovery and information security. Results from the Delphi encompass a consensus by the panel. Key findings included the need for planning for cyber security, aligning disaster recovery with cyber security, providing cyber security training for managers and staff, and applying lessons learned from experience. Implications for positive social change include the ability for organizations to return to an acceptable level of operation and continue their service benefiting employees, customers, and other stakeholders

TECHNOLOGY THREAT AVOIDANCE FACTORS AS PREDICTORS OF RISKY CYBERSECURITY BEHAVIOR WITHIN THE ENTERPRISE

Recent research of information technology (IT) end-user cybersecurity-related risky behaviors has focused on items such as IT user decision-making, impulsiveness, and internet use as predictors of human cyber vulnerability. Theories which guide user human behavioral intent, such as protection motivation theory (PMT, introduced by Rogers, 1975) and technology threat avoidance theory (TTAT, introduced by Liang and Xue, 2009) have not been widely investigated as antecedents of risky cybersecurity behavior (RScB). This dissertation describes exploratory research that analyzed and evaluated PMT/TTAT factors as predictors of RScB by enterprise IT users. This work uniquely contributes to the literature by investigating associations between accepted behavioral motivation models and RScB. Findings are intended to provide human resource development (HRD) practitioners and researchers innovative techniques to identify factors which may compel enterprise IT users to avoid risky cybersecurity behaviors in the workplace. Findings, based on survey responses by 184 working professionals in the United States, were largely consistent with previous TTAT-focused works. New insights arose regarding the predictive impact of perceived cost as a predictor of RScB (p = .003) with small-to-medium effect sizes. Predictability was further leveraged using discriminant analysis to predict RScB category membership derived from k-means clustering. Significant outcomes were noted with practical utility. An overarching goal of this study was to more fully inform the HRD community of scholar-practitioners of the urgent need to design, deliver, implement, and evaluate initiatives that could be utilized to diminish inappropriate and costly cybersecurity behaviors in various workplace environments

Tackling the barriers to achieving Information Assurance

A thesis submitted in partial fulfilment of the requirements of the University of Wolverhampton for the degree of Doctor of Philosophy.This original, reflective practitioner study researched whether professionalising IA could be successfully achieved, in line with the UK Cyber Security Strategy expectations. The context was an observed changing dominant narrative from IA to cybersecurity. The research provides a dialectical relationship with the past to improve IA understanding. The Academic contribution: Using archival and survey data, the research traced the origins of the term IA and its practitioner usage, in the context of the increasing use of the neologism of cybersecurity, contributing to knowledge through historical research. Discourse analysis of predominantly UK government reports, policy direction, legislative and regulatory changes, reviewing texts to explore the functions served by specific constructions, mainly Information Security (Infosec) vs IA. The Researcher studied how accounts were linguistically constructed in terms of the descriptive, referential and rhetorical language used, and the function that serves. The results were captured in a chronological review of IA ontology. The Practitioner contribution: Through an initial Participatory Action Research (PAR) public sector case study, the researcher sought to make sense of how the IA profession operates and how it was maturing. Data collection from self-professed IA practitioners provided empirical evidence. The researcher undertook evolutionary work analysing survey responses and developed theories from the analysis to answer the research questions. The researcher observed a need to implement a unified approach to Information Governance (IG) on a large organisation-wide scale. Using a constructivist grounded theory the researcher developed a new theoretical framework - i3GRC™ (Integrated and Informed Information Governance, Risk, and Compliance) - based on what people actually say and do within the IA profession. i3GRC™ supports the required Information Protection (IP) through maturation from IA to holistic IG. Again, using PAR, the theoretical framework was tested through a private sector case study, the resultant experience strengthening the bridge between academia and practitioners

Safeguarding Employee Privacy in U.S.-Based Small and Midsized Businesses

AbstractEmployee privacy is a contentious concern between employees and employers in the United States. Terminating oversurveilled employees may result in sustained claim costs for a company. Grounded in complexity theory and complexity leadership theory, the purpose of this qualitative multiple case study was to explore strategies small business leaders/agents use to safeguard employee privacy. The participants included three privacy practitioners: one consultant, and two small business leaders/agents of small businesses in the Mid-Atlantic U.S. region who had successfully safeguarded employee privacy. A thematic analysis using primary and secondary sources identified three principal themes: (a) environmental privacy, (b) autonomy privacy, and (c) personal information privacy. A key recommendation is for business leaders to design a human-centric employee privacy program with defensive and offensive strategies that balance autonomy with accountability. This study has implications for positive social change in that it may inform efficacious strategy to promote employee privacy that catalyze employee innovation and improve business performance, enabling organizations to sustain their contributions to benefit the citizens of their local community