How Effective are SETA Programs Anyway: Learning and Forgetting in Security Awareness Training

Prevalent security threats caused by human errors necessitate security education, training, and awareness (SETA) programs in organizations. Despite strong theoretical foundations in behavioral cybersecurity, field evidence on the effectiveness of SETA programs in mitigating actual threats is scarce. Specifically, with a broad range of cybersecurity knowledge crammed into in a single SETA session, it is unclear how effective different types of knowledge are in mitigating human errors in a longitudinal setting. his study investigates how knowledge gained through SETA programs affects human errors in cybersecurity to fill the longitudinal void. In a baseline experiment, we establish that SETA programs reduce phishing susceptibility by 50%, whereas the training intensity does not affect the rate. In a follow-up experiment, we find that SETA programs can increase employees’ cybersecurity knowledge by 12-17%, but the increment wears off within a month. Furthermore, technical-level knowledge decays faster than application-level knowledge. The longer “shelf-life” of application-level knowledge explains why training intensity makes no difference within a month. This study reveals a (relatively) more effective component of SETA programs and cast doubts on the overall effectiveness of SETA programs in the long run

Survival of the safest: examining organization risk factors for cybersecurity incidents

[Invited adaptation from presentation proposal, A Matter of Time: Exploring Survival Analysis Through Cybersecurity] Given that employees pose a large threat to organizational cybersecurity, much research attention has been directed to identifying individual risk factors for cybersecurity noncompliance and misbehavior at the cost of examining broad organizational risk factors. However, no study to date has formally examined how the risk of organizational cybersecurity incident changes over time, or how organizational characteristics affect this risk. The proposed study aims to conduct a survival analysis (SA) of cybersecurity events across the past decade, examining broad factors that impact the changing probability of cyberincidents. In particular, the proposed study will examine associations between cyberbreaches and industry type, annual revenue, and the sensitivity of information handled in the organization. While other studies have examined organization-wide risk factors, none have done so in a longitudinal analysis such as SA. The proposed study emphasizes the necessity of examining changes in risk across time due to the abundant evidence that cybersecurity incidents are increasing in both frequency and severity. Previously-employed methods such as odds ratios fail to account for the time-based component needed for properly analyzing the continuously-changing threat of cyberattacks. To analyze the impact of organizational factors on the risk of cyberincident, the proposed study will record security breaches (or lack thereof) for organizations listed in the top Fortune 1000 from 2005 to 2019, using publically-available data on over 9,000 cyberincidents recorded by Privacy Rights Clearinghouse. Event data will be examined in R, and organizational factors will be examined for covariance with the risk of cyberincident. Preliminary results from 2004 Fortune 500 companies indicate significant associations between cyberincident risk and both industry type and annual revenue. By utilizing Survival Analysis, the proposed study will provide an enhanced, time-based view on the past prevalence of cybersecurity incidents and the organizational factors associated with increased risk. Emphasis of these factors serves to alert organizations of their unique vulnerabilities, inspiring increased attention to the subject of security

Published incidents and their proportions of human error

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Purpose - The information security field experiences a continuous stream of information security incidents and breaches, which are publicised by the media, public bodies and regulators. Despite the need for information security practices being recognised and in existence for some time the underlying general information security affecting tasks and causes of these incidents and breaches are not consistently understood, particularly with regard to human error. Methodology - This paper analyses recent published incidents and breaches to establish the proportions of human error, and where possible subsequently utilises the HEART human reliability analysis technique, which is established within the safety field. Findings - This analysis provides an understanding of the proportions of incidents and breaches that relate to human error as well as the common types of tasks that result in these incidents and breaches through adoption of methods applied within the safety field. Originality - This research provides original contribution to knowledge through the analysis of recent public sector information security incidents and breaches in order to understand the proportions that relate to human erro

Enhanced Information Systems Success Model for Patient Information Assurance

The current health information systems have many challenges such as lack of standard user interfaces, data security and privacy issues, inability to uniquely identify patients across multiple hospital information systems, probable misuse of patient data, high technological costs, resistance to technology deployments in hospital management, lack of data gathering, processing and analysis standardization. All these challenges, among others hamper either the acceptance of the health information systems, operational efficiency or expose patient information to cyber attacks. In this paper, an enhanced information systems success model for patient information assurance is developed using an amalgamation of Technology Acceptance Model (TAM) and Information Systems Success Model (ISS). This involved the usage of Linear Structured Relationship (LISREL) software to model a combination of ISS and Intention to Use (ITU), TAM and ITU, ISS and user satisfaction (US), and finally TAM and US. The sample size of 110 respondents was obtained based on the total population of 221 using the Conhrans formula. Thereafter, simple random sampling was employed to select members within each category of employees to take part in the study. The questionnaire as a research tool was checked for reliability via Cronbach’s Alpha. The results obtained showed that for ISS and ITU modeling, only perceived ease of use, system features, response time, flexibility, timeliness, accuracy, responsiveness and user training positively influenced the intention to use. However, for the TAM and ITU modeling, only TAM’s measures such as timely information, efficiency, increased transparency, and proper patient identification had a positive effect on intension to use. The ISS and US modeling revealed that perceived ease of use had the greatest impact on user satisfaction while response time had the least effect on user satisfaction. On its part, the TAM and US modeling showed that timely information, effectiveness, consistency, enhanced communication, and proper patients identification had a positive influence on user satisfaction

Appling tracking game system to measure user behavior toward cybersecurity policies

Institutions wrestle to protect their information from threats and cybercrime. Therefore, it is dedicating a great deal of their concern to improving the information security infrastructure. Users’ behaviors were explored by applying traditional questionnaire as a research instrument in data collocate process. But researchers usually suffer from a lack of respondents' credibility when asking someone to fill out a questionnaire, and the credibility may decline further if the research topic relates to aspects of the use and implementation of information security policies. Therefore, there is insufficient reliability of the respondent's answers to the questionnaire’s questions, and the responses might not reflect the actual behavior based on the human bias when facing the problems theoretically. The current study creates a new idea to track and study the behavior of the respondents by building a tracking game system aligned with the questionnaire whose results are required to be known. The system will allow the respondent to answer the survey questions related to the compliance with the information security policies by tracking their behavior while using the system

Overcoming the security quagmire: behavioural science and modern technology hold the key to solving the complex issue of law firm cyber security

While all industries that handle valuable data have been subject to increasing levels of cyber attack, there is a set of inter-related factors in the law firm cyber security ecosystem that makes such firms more susceptible to attack and also serves to prevent them from taking action to counteract attack vulnerability. As a result of the inter-related external and internal factors affecting law firm cyber security, the human element of firm security infrastructure has been neglected, thereby making humans, at once law firms’ greatest asset, their main cyber security weakness. 1There has been some movement of late, and regulators and clients alike are right to demand law firms do more to improve their cyber security posture.2 However, much of the scrutiny to which their conduct has been subjected has tended to overlook the complexities of the law firm cyber security quagmire, and unless these issues are addressed in the context of a potential solution, meaningful change is not While all industries that handle valuable data have been subject to increasing levels of cyber attack, there is a set of inter-related factors in the law firm cyber security ecosystem that makes such firms more susceptible to attack and also serves to prevent them from taking action to counteract attack vulnerability. As a result of the inter-related external and internal factors affecting law firm cyber security, the human element of firm security infrastructure has been neglected, thereby making humans, at once law firms’ greatest asset, their main cyber security weakness. 1There has been some movement of late, and regulators and clients alike are right to demand law firms do more to improve their cyber security posture.2 However, much of the scrutiny to which their conduct has been subjected has tended to overlook the complexities of the law firm cyber security quagmire, and unless these issues are addressed in the context of a potential solution, meaningful change is not While all industries that handle valuable data have been subject to increasing levels of cyber attack, there is a set of inter-related factors in the law firm cyber security ecosystem that makes such firms more susceptible to attack and also serves to prevent them from taking action to counteract attack vulnerability. As a result of the inter-related external and internal factors affecting law firm cyber security, the human element of firm security infrastructure has been neglected, thereby making humans, at once law firms’ greatest asset, their main cyber security weakness. 1There has been some movement of late, and regulators and clients alike are right to demand law firms do more to improve their cyber security posture.2 However, much of the scrutiny to which their conduct has been subjected has tended to overlook the complexities of the law firm cyber security quagmire, and unless these issues are addressed in the context of a potential solution, meaningful change is not likely. Part 1 of this paper outlines the current threat landscape and details the integral role of human error in successful cyber breaches before turning to discuss recent cyber security incidents involving law firms. In Part 2, we analyse elements of law firm short-termism and the underregulation of law firm cyber security conduct and how these, when combined, play a key role in shaping law firm cyber security posture. Finally, in Part 3 we outline a realistic solution, incorporating principles from behavioural science and modern technological developments

Analysis of published public sector information security incidents and breaches to establish the proportions of human error

The information security field experiences a continuous stream of information security incidents and breaches, which are publicised by the media, public bodies and regulators. Despite the need for information security practices being recognised and in existence for some time the underlying general information security affecting tasks and causes of these incidents and breaches are not consistently understood, particularly with regard to human error. This paper analyses recent published incidents and breaches to establish the proportions of human error, and where possible subsequently utilises the HEART human reliability analysis technique, which is established within the safety field. This analysis provides an understanding of the proportions of incidents and breaches that relate to human error as well as the common types of tasks that result in these incidents and breaches through adoption of methods applied within the safety field

Cybersecurity in Health Systems: Challenges, And Proposals

The new rise in network safety breaks in medical care organizations has put patients' security at a higher risk of being uncovered. In spite of this danger and the extra danger posed by such incidents to patients' safety, as well as functional and monetary dangers to medical care organizations, few studies have deliberately analysed the cyber security risks in medical care. To establish a strong starting point for medical services organizations and policymakers in better comprehension the intricacy of the issue of cyber security, this study investigates the significant sort of cyber security risks for health care organizations and makes sense of the roles of the four keys (cyber attackers, cyber defenders, developers, and end users) in cyber security. Finally, the paper studies a group of recommendations for the policymakers and health care organizations to reinforce cybersecurity in their organizations