Are 21st-century citizens grieving for their loss of privacy?

Although much research exists that examines cognitive events leading up to information disclosure, such as risk-benefit analysis and state-based and trait-based attributes, minimal research exists that examines user responses after a direct or indirect breach of privacy. The present study examines 1,004 consumer responses to two different high-profile privacy breaches using sentiment analysis. Our findings indicate that individuals who experience an actual or surrogate privacy breach exhibit similar emotional responses, and that the pattern of responses resembles well-known reactions to other losses. Specifically, we present evidence that users contemplating evidence of a privacy invasion experience and communicate very similar responses as individuals who have lost loved ones, gone through a divorce or who face impending death because of a terminal illness. These responses parallel behavior associated with the Kübler-Ross’s five stages of grief

Individual Differences in Cyber Security

A survey of IT professionals suggested that despite technological advancement and organizational procedures to prevent cyber-attacks, users are still the weakest link in cyber security (Crossler, 2013). This suggests it is important to discover what individual differences may cause a user to be more or less vulnerable to cyber security threats. Cyber security knowledge has been shown to lead to increased learning and proactive cyber security behavior (CSB). Self-efficacy has been shown to be a strong predictor of a user’s intended behavior. Traits such as neuroticism have been shown to negatively influence cyber security knowledge and self-efficacy, which may hinder CSB. In discovering what individual traits may predict CSB, users and designers may be able to implement solutions to improve CSB. In this study, 183 undergraduate students at San José State University completed an online survey. Students completed surveys of self-efficacy in information security, and cyber security behavioral intention, as well as a personality inventory and a semantic cyber security knowledge quiz. Correlational analyses were conducted to test hypotheses related to individual traits expected to predict CSB. Results included a negative relationship between neuroticism and self-efficacy and a positive relationship between self-efficacy and CSB. Overall, the results support the conclusion that individual differences can predict self-efficacy and intention to engage in CSB. Future research is needed to investigate whether CSB is influenced by traits such as neuroticism, if CSB can be improved through video games, and which are the causal directions of these effects

A descriptive review and classification of organizational information security awareness research

Information security awareness (ISA) is a vital component of information security in organizations. The purpose of this research is to descriptively review and classify the current body of knowledge on ISA. A sample of 59 peer-reviewed academic journal articles, which were published over the last decade from 2008 to 2018, were analyzed. Articles were classified using coding techniques from the grounded theory literature-review method. The results show that ISA research is evolving with behavioral research studies still being explored. Quantitative empirical research is the dominant methodology and the top three theories used are general deterrence theory, theory of planned behavior, and protection motivation theory. Future research could focus on qualitative approaches to provide greater depth of ISA understanding

Psychological Profiling of Hacking Potential

This paper investigates the psychological traits of individuals’ attraction to engaging in hacking behaviors (both ethical and illegal/unethical) upon entering the workforce. We examine the role of the Dark Triad, Opposition to Authority and Thrill-Seeking traits as regards the propensity of an individual to be interested in White Hat, Black Hat, and Grey Hat hacking. A new set of scales were developed to assist in the delineation of the three hat categories. We also developed a scale to measure each subject’s perception of the probability of being apprehended for violating privacy laws. Engaging in criminal activity involves a choice where there are consequences and opportunities, and individuals perceive them differently, but they can be deterred if there is a likelihood of punishment, and the punishment is severe. The results suggest that individuals that are White Hat, Grey Hat and Black Hat hackers score high on the Machiavellian and Psychopathy scales. We also found evidence that Grey Hatters oppose authority, Black Hatters score high on the thrill-seeking dimension and White Hatters, the good guys, tend to be Narcissists. Thrill-seeking was moderately important for White Hat hacking and Black hat hacking. Opposition to Authority was important for Grey Hat hacking. Narcissism was not statistically significant in any of the models. The probability of being apprehended had a negative effect on Grey Hat and Black Hat hacking. Several suggestions will be made on what organizations can do to address insider threats

Cybersecurity: Role of Behavioral Training in Healthcare

We were tasked by a global leader in healthcare to look into making the organization more secure by creating a training program that focused on employee habits. By adapting a model from consumer behavior to information security, we were able to find strong correlations between habit creation and security threats such as phishing, unauthorized cloud computing use, and password sharing. We were also able to ascertain that traditional security training and awareness programs need to move away from the “one-size” fits all technique to custom models that need to look at employee groups. This study extends literature in habit and information security

A Picture vs. 1,000 Words: Threat Visualization and Verbalization in Information Security Fear Appeals

Fear appeals are messages designed to persuade individuals to adopt a recommended behavior by describing the danger associated with a particular threat. This paper focuses on the persuasive roles of threat-related images and text in information security fear appeals and describes a series of studies that use neurophysiological measures to investigate how a fear appeal’s threat verbalization and visualization drive emotion and cognition in order to motivate appropriate information security behavior

Investigation on Willingness of Employees to Share Information Security Advice

As modern organizations rely more on their information systems, mitigating information security risks becomes essential. Weaknesses in the information security management chain have continued to be challenged by employees. Therefore, enhancing employee security awareness becomes critical. Considering the effectiveness of informal methods, this research examines security advice sharing as one of the operative ways. Accordingly, in this paper, by adapting the theory of planned behavior as our theoretical lens, we propose a conceptual model of factors that are anticipated to impact the willingness of employees to share security advice. Finally, conclusion and avenues for future research are discussed

Beyond Compliance: Empowering Employees’ Extra-Role Security Behaviors in Dynamic Environments

Information security policies are (ISP) used to guide employees in order to ensure information security while utilizing organizational information systems in the workplace. However, rigid compliance with ISP may not help employees and companies to confront emerging threats in the dynamic environment of modern security threats. ISP should be developed and improved according to the demands of implementers and in keeping with the changing security environment. To that end, we propose that employees\u27 extra-role behaviors - actions that may seem to go beyond requirements and limitations of security policies - can provide input into forming suitable and feasible security policies that provide insights against the emerging threats in the operating environment

A Social Cognitive Neuroscience Approach to Information Security

Information security (InfoSec) represents a significant challenge for private citizens, corporations, and government entities. Breaches of InfoSec, may lower consumer confidence (Yayla & Hu, 2011), shape national and international politics (Groll, 2017), and represent a significant threat to the world economy (e.g., estimated costs of breaches related to cybercrime were $3 trillion in 2015; Cybersecurity Ventures). Significant progress has been made in the context of developing and refining hardware and software infrastructure to thwart cybercrime (Ayuso, Gasca, & Lefevre, 2012; Choo, 2011). However, much less attention has been devoted to understanding the factors that lead individuals within an organization to compromise the digital assets of a company or government entity (Posey, Bennett, & Roberts, 2011; Warkentin & Willison, 2009). The need to for a greater understanding of the causes of insider threat becomes readily apparent when one considers that roughly 50% of security violations result from the activities of individuals within an organization (Richardson, 2011). Additionally, in a recent survey 89% of respondents felt that their organizations were at risk from an insider attack, and 34% felt very or extremely vulnerable (Vormetric Data Security, 2015). In this paper we describe our program of research that examines the neural basis of individual decision making related to InfoSec, and is grounded in a social cognitive neuroscience approach. We also consider evidence from studies examining the effects of individual and cultural differences on decision making related to InfoSec. Together this evidence may serve to motivate future research that integrates theories from neuroscience and the social and behavioral sciences in order to deepen our understanding of the factors that lead individuals to compromise InfoSec