Why do People Adopt, or Reject, Smartphone Security Tools?

A large variety of security tools exist for Smartphones, to help their owners to secure the phones and prevent unauthorised others from accessing their data and services. These range from screen locks to antivirus software to password managers. Yet many Smartphone owners do not use these tools despite their being free and easy to use. We were interested in exploring this apparent anomaly. A number of researchers have applied existing models of behaviour from other disciplines to try to understand these kinds of behaviours in a security context, and a great deal of research has examined adoption of screen locking mechanisms. We review the proposed models and consider how they might fail to describe adoption behaviours. We then present the Integrated Model of Behaviour Prediction (IMBP), a richer model than the ones tested thus far. We consider the kinds of factors that could be incorporated into this model in order to understand Smartphone owner adoption, or rejection, of security tools. The model seems promising, based on existing literature, and we plan to test its efficacy in future studies

BYOD: Risk considerations in a South African organisation

In recent times, while numerous organisations have difficulty keeping abreast with the frequent year-on-year technology changes, their employees on the other hand, continue to bring their personal devices to work to more readily access organisational data. This concept is known as Bring Your Own Device (BYOD). Studies have demonstrated that the introduction of BYOD commonly has a positive effect on both organisation and employees: increased optimism, job satisfaction and productivity are some of the perceived positive effects. Furthermore, BYOD can improve employees’ opportunities for mobile working and assist with the work flexibility they seek. This phenomenon, however, is still not well understood. In the South African context, this refers particularly to an inadequate understanding of risks associated with the introduction of BYOD into organisations. Some of the risks associated with this phenomenon are, for instance, related to information security, legislation and privacy issues. Hence, the intention of this research was to investigate, determine and assess BYOD risk considerations in a South African organisation. Using the available literature on this subject and an interpretative exploratory case study approach, this research explored various facets of BYOD-related risks (e.g. implementational, technological, legislation, regulation and privacy risks, human aspects and organisational concerns) as well as the impact these risks may have on both employees and an organisation. The organisation under investigation – from this point onward referred to as “Organisation A” – is a South African based information technology (IT) security consulting and service management organisation, which has seen increased expansion in its business and thus an increase in the number of its employees utilising their personal devices at the workplace. Even so, Organisation A was uncertain regarding possible risks that might hinder benefits of BYOD. Hence, this researcher defined the main research question as “What are the risks of introducing the BYOD in the South African organisation and what is an effective approach to address identified risks?”. The main objective was to identify and describe BYOD-related risks and to propose an appropriate model for addressing these risks. To answer the main research question, this researcher reviewed the applicable literature on the BYOD, including the limited South African literature pertaining to the subject. The review elicited the most common BYOD-related risks but also some models, frameworks and standards that may be applied for addressing these risks. Based on these revelations, an applicable BYOD risk management model was created and proposed. The literature review findings were subsequently tested in the empirical setting (in Organisation A) by conducting comprehensive interviews with research participants. This research adopted a qualitative approach in general and a case study methodology in particular. The collected data were analysed using the interpretative phenomenological analysis (IPA), which aided in providing a comprehensive understanding of the interviewees’ responses regarding the BYOD risks. The interviewees were selected based on a purposeful (pre-defined) sampling. The results of this interpretative research suggest that the interviewees’ responses are closely aligned with the information on BYOD risks collected from the pertinent literature. The results show that successful introduction and usage of BYOD in the studied organisation requires the implementation of mixed risk management measures: technological (e.g. mobile device management and its additional components), non-technological (e.g. IT or BYOD security policies), the usage of general risk management frameworks (e.g. ISO 27001), the development of an organisational security culture and skilling of the human factor (e.g. employee awareness, training and education, for example). Additionally, it was found that participation of employees in the development of BYOD policies is an essential and effective tactic for transforming a fragile BYOD risk link (i.e. employees) into a strong risk prevention mechanism. Furthermore, this research also revealed that in the South African context, it is important that an organisation’s BYOD security policies are sound, preferably meeting the POPI Act requirements and thereby avoiding legislation risks. The contribution of this research is twofold: first academic, and second, practical. The academic contribution is realised by adding to the body of knowledge on the BYOD risks – most particularly in terms of understanding potential risks when introducing BYOD in the South African context. The practical contribution manifests through the provision of detailed risk considerations and mitigation guidelines for organisations wishing to introduce BYOD practices or considering ways to improve their current BYOD risk management strategy. It is acknowledged that this research has some limitations, particularly in regard to the limited generalisation of the findings due to the limited sample provided by only one organisation. Although the results are not necessarily applicable to other South African organisations, these limitations did not impact the relevance and validity of this research

Smartphones

Many of the research approaches to smartphones actually regard them as more or less transparent points of access to other kinds of communication experiences. That is, rather than considering the smartphone as something in itself, the researchers look at how individuals use the smartphone for their communicative purposes, whether these be talking, surfing the web, using on-line data access for off-site data sources, downloading or uploading materials, or any kind of interaction with social media. They focus not so much on the smartphone itself but on the activities that people engage in with their smartphones

Exploring Consumers’ Attitudes of Smart TV Related Privacy Risks

A number of privacy risks are inherent in the Smart TV ecosystem. It is likely that many consumers are unaware of these privacy risks. Alternatively, they might be aware but consider the privacy risks acceptable. In order to explore this, we carried out an online survey with 200 participants to determine whether consumers were aware of Smart TV related privacy risks. The responses revealed a meagre level of awareness. We also explored consumers’ attitudes towards specific Smart TV related privacy risks. We isolated a number of factors that influenced rankings and used these to develop awareness-raising messages. We tested these messages in an online survey with 155 participants. The main finding was that participants were generally unwilling to disconnect their Smart TVs from the Internet because they valued the Smart TV’s Internet functionality more than their privacy. We subsequently evaluated the awareness-raising messages in a second survey with 169 participants, framing the question differently. We asked participants to choose between five different Smart TV Internet connection options, two of which retained functionality but entailed expending time and/or effort to preserve privacy

Information security concerns around enterprise bring your own device adoption in South African higher education institutions

The research carried out in this thesis is an investigation into the information security concerns around the use of personally-owned mobile devices within South African universities. This concept, which is more commonly known as Bring Your Own Device or BYOD has raised many data loss concerns for organizational IT Departments across various industries worldwide. Universities as institutions are designed to facilitate research and learning and as such, have a strong culture toward the sharing of information which complicates management of these data loss concerns even further. As such, the objectives of the research were to determine the acceptance levels of BYOD within South African universities in relation to the perceived security risks. Thereafter, an investigation into which security practices, if any, that South African universities are using to minimize the information security concerns was carried out by means of a targeted online questionnaire. An extensive literature review was first carried out to evaluate the motivation for the research and to assess advantages of using Smartphone and Tablet PC’s for work related purposes. Thereafter, to determine security concerns, other surveys and related work was consulted to determine the relevant questions needed by the online questionnaire. The quantity of comprehensive academic studies concerning the security aspects of BYOD within organizations was very limited and because of this reason, the research took on a highly exploratory design. Finally, the research deliberated on the results of the online questionnaire and concluded with a strategy for the implementation of a mobile device security strategy for using personally-owned devices in a work-related environment

The Revolution of Mobile Phone-Enabled Services for Agricultural Development (m-Agri Services) in Africa: The Challenges for Sustainability

The provision of information through mobile phone-enabled agricultural information services (m-Agri services) has the potential to revolutionise agriculture and significantly improve smallholder farmers’ livelihoods in Africa. Globally, the benefits of m-Agri services include facilitating farmers’ access to financial services and sourcing agricultural information about input use, practices, and market prices. There are very few published literature sources that focus on the potential benefits of m-Agri services in Africa and none of which explore their sustainability. This study, therefore, explores the evolution, provision, and sustainability of these m-Agri services in Africa. An overview of the current landscape of m-Agri services in Africa is provided and this illustrates how varied these services are in design, content, and quality. Key findings from the exploratory literature review reveal that services are highly likely to fail to achieve their intended purpose or be abandoned when implementers ignore the literacy, skills, culture, and demands of the target users. This study recommends that, to enhance the sustainability of m-Agri services, the implementers need to design the services with the users involved, carefully analyse, and understand the target environment, and design for scale and a long-term purpose. While privacy and security of users need to be ensured, the reuse or improvement of existing initiatives should be explored, and projects need to be data-driven and maintained as open source. Thus, the study concludes that policymakers can support the long-term benefit of m-Agri services by ensuring favourable policies for both users and implementers

Emerging Internet Technologies and the Regulation of User Privacy

Modern Internet-based technologies pose a threat to privacy, as they possess multiple sensors or features that collect data about users. There is a need to determine the privacy risks that affect users in South Africa as there are a few studies on the subject. A qualitative study was done which involved interviewing seven experts and a survey consisting of 101 respondents. The results show that regulators view emerging technologies as potentially risky and are motivated by public interest to develop protective laws. It therefore is necessary that regulators develop robust laws to help prevent privacy violations. Furthermore, this paper proposes a conceptual framework that conceptualizes how emerging technologies affect users to inform policymaking

How WEIRD is Usable Privacy and Security Research? (Extended Version)

In human factor fields such as human-computer interaction (HCI) and psychology, researchers have been concerned that participants mostly come from WEIRD (Western, Educated, Industrialized, Rich, and Democratic) countries. This WEIRD skew may hinder understanding of diverse populations and their cultural differences. The usable privacy and security (UPS) field has inherited many research methodologies from research on human factor fields. We conducted a literature review to understand the extent to which participant samples in UPS papers were from WEIRD countries and the characteristics of the methodologies and research topics in each user study recruiting Western or non-Western participants. We found that the skew toward WEIRD countries in UPS is greater than that in HCI. Geographic and linguistic barriers in the study methods and recruitment methods may cause researchers to conduct user studies locally. In addition, many papers did not report participant demographics, which could hinder the replication of the reported studies, leading to low reproducibility. To improve geographic diversity, we provide the suggestions including facilitate replication studies, address geographic and linguistic issues of study/recruitment methods, and facilitate research on the topics for non-WEIRD populations.Comment: This paper is the extended version of the paper presented at USENIX SECURITY 202

An investigation into the security behaviour of tertiary students regarding mobile device security

The use of mobile devices is becoming more popular by the day. With all the different features that the smart mobile devices possess, it is starting to replace personal computers both for personal use and business use. There are also more attacks concerning security on mobile devices because of their increased usage and the security measures not as effective and well-known as on personal computers. The perceived perception is that the young adult population does not act safely and they have a low level of technical advanced knowledge when using their mobile devices. Mobile users are largely responsible to protect themselves and other users from a security viewpoint. This paper reports on a study including a survey done regarding the behaviour of tertiary students concerning security of their mobile devices. Aspects of mobile device security will be discussed and the current status of tertiary students’ behaviour regarding mobile device security will be presented resulting from a survey conducted at a South African University. Findings indicate that tertiary students have diverse behaviour levels concerning mobile device security. The value of these results is that we can focus on specific content when educating smart device users on the subject of security including avoidance of risky or unsafe behaviour. Recommendations in this regard are presented in this paper