Expanding Protection Motivation Theory: The Role of Individual Experience in Information Security Policy Compliance

The purpose of the present study is to make contributions to the area of behavioral information security in the field of Information Systems and to assist in the improved development of Information Security Policy instructional programs to increase the policy compliance of individuals. The role of an individual’s experience in the context of information security behavior was explored through the lens of protection motivation theory. The practical foundation was provided by the framework of Security Education, Training, and Awareness (SETA) programs which are typically used by organizations within the United States to instruct employees regarding information security. A pilot study and primary study were conducted with separate data collections and analyses. Both existing and new measures were tested in the study which used a Modified Solomon Four Group Design to accommodate data collection via a web-based survey that included a two-treatment experimental component. The primary contribution to academia proposed in this study was to expand the protection motivation theory by including direct and vicarious experience regarding both threats and responses to the threats. Clear definitions and valid and reliable reflective measures for each of the four experience constructs were developed and are presented in this dissertation. Furthermore, the study demonstrated that all four forms of experience play an important part in the prediction of the primary constructs in the protection motivation model, and as such ultimately play an important part in the prediction of behavioral intent in the context of information security. The primary contribution to practice was expected to be specifically related to the application of fear appeals within a SETA instructional framework. The contribution to practice made by this dissertation became instead the implications resulting from the strong performance of the experience constructs. Specifically, experience, both direct and vicarious, and with threats and with responses, are all important influences on individuals’ behavioral choices regarding information security and should continue to be explored in this context

Unpacking security policy compliance: The motivators and barriers of employees’ security behaviors

The body of research that focuses on employees’ information Security Policy compliance is problematic as it treats compliance as a single behavior. This study explored the underlying behavioral context of information security in the workplace, exploring how individual and organizational factors influence the interplay of the motivations and barriers of security behaviors. Investigating factors that had previously been explored in security research, 20 employees from two organizations were interviewed and the data was analyzed using framework analysis. The analysis indicated that there were seven themes pertinent to information security: Response Evaluation, Threat Evaluation, Knowledge, Experience, Security Responsibility, Personal and Work Boundaries, and Security Behavior. The findings suggest that these differ by security behavior and by the nature of the behavior (e.g. on- and offline). Conclusions are discussed highlighting barriers to security actions and implications for future research and workplace practice

MSUO Information Technology and Geographical Information Systems: Common Protocols & Procedures. Report to the Marine Safety Umbrella Operation

The Marine Safety Umbrella Operation (MSUO) facilitates the cooperation between Interreg funded Marine Safety Projects and maritime stakeholders. The main aim of MSUO is to permit efficient operation of new projects through Project Cooperation Initiatives, these include the review of the common protocols and procedures for Information Technology (IT) and Geographical Information Systems (GIS). This study carried out by CSA Group and the National Centre for Geocomputation (NCG) reviews current spatial information standards in Europe and the data management methodologies associated with different marine safety projects. International best practice was reviewed based on the combined experience of spatial data research at NCG and initiatives in the US, Canada and the UK relating to marine security service information and acquisition and integration of large marine datasets for ocean management purposes. This report identifies the most appropriate international data management practices that could be adopted for future MSUO projects

Self-Efficacy in Information Security: A Mixed Methods Study of Deaf End-Users

This explanatory sequential mixed methods study focuses on gaining an overall understanding of the potential variances in self-efficacy in information security and security practice behavior in the deaf population. Very little is understood about the deaf experience when engaging in security practices and their confidence levels in doing so. Due to the fastpaced nature of cyber security and its many facets, the human factor plays a crucial role in the success of cyber security. It is important to understand the potential implications of variances that may affect a deaf end-user’s security practice behavior to be able to provide more effective security awareness programs. By using a two-pronged approach, further insight is gained on the potential variances in self-efficacy in information security and the resultant security practice behavior. Starting with a broad quantitative survey that measures an end-user’s self-efficacy, behavioral intention, security practice with technology, and security practice conscious care behavior. In the first phase, data is collected to identify variances when compared hearing end-users allows for a greater understanding of what unique areas of weaknesses may need to be addressed. The second phase consisted of phenomenological semi-structured interviews that are held with deaf end-users that have indicated variances in self-efficacy in information security and security practice behavior. The intent of the interviews was to capture the essence of the deaf end-user’s lived experiences when engaging with security practice behavior. Through extensive data analysis of 228 responses from 119 deaf participants and 109 hearing participants, all three null hypotheses in this first phase of the study were rejected. It was concluded that deaf end-users had significantly higher SEIS while having a significantly lower behavioral intention, security practice – technology, and security practice – conscious vii care behavior than hearing end-users. It was also concluded in the first phase that a positive SEIS corresponds to improved security practice behavior for both deaf and hearing end-users. In-depth semi-structured interviews of 10 deaf end-users who indicated a variance in self-efficacy in information security and security practice behavior allowed for the identification of essential themes. These themes were derived from coded analysis of the interviews: (1) Deaf-Specific Barriers; (2) Digital Literacy; (3) Positive Security Intention; (4) Reliance on Technology; (5) Poor Security Knowledge; (6) Poor Security Behavior; (7) Having a Support Network. These identified themes were prevalent among all deaf end-users of varying demographics and backgrounds. The impact of this study is to highlight the need for the development of tailored and accessible cyber security awareness programs for deaf end-users to address the significantly lower security practice behavior in comparison to hearing end-users. The identification of a such variance and understanding the lived experiences that lead to such behavior raises the need for additional research into the full scope of impact on deaf end-users’ security practice behavior and how to best address the concerns

Editors\u27 Preface

Since 2004, Kennesaw State University, Georgia, has hosted an academic conference. Over the years, the event has brought together hundreds of faculty and students from throughout the U.S., sharing research into pedagogical efforts and instructional innovations. Initially, the conference was named the Information Security Curriculum Development conference and served as KSU’s contribution to engage our colleagues in growing security education from its infancy. It was paired with KSU’s inaugural security education journal, the Information Security Education Journal. In 2016, the event was rebranded as the Conference on Cybersecurity Education, Research, and Practice to reflect both an expansion of topics suitable for inclusion in the conference and to acknowledge the evolution of information security in the public and private sectors. KSU began hosting the Journal of Cybersecurity Education, Research, and Practice (https://digitalcommons.kennesaw.edu/jcerp/) through its Digital Common subscription at the same time, allowing a truly open access experience, with no fees of any kind to authors or readers. You can view their published papers there after the conference

Assessment of users\u27 information security behavior in smartphone networks

With the exponential growth of smartphone usage, providing information security has become one of the main challenges that researchers and information-security specialists must consider. In contrast to traditional mobile phones that only enable people to talk and text, smartphone networks give users a variety of convenient functions such as connection to the Internet, online shopping, e-mail and social media, data storage, global positioning systems, and many other applications. Providing security in smartphone networks is critical for the overall information security of individuals and businesses. Smartphone networks could become vulnerable to security breaches if users do not practice safe behaviors such as selecting strong passwords, encrypting their stored data, downloading applications only from authorized websites, not opening emails from unknown sources, and updating authorized security patches. Users of smartphone devices play an important role in providing information security in smartphone networks, which affects the information security of private and public networks. This study assessed the factors that affect users’ security behavior on smartphone networks. By reviewing the theoretical frameworks that evaluate human behavior, this study formed a research model. The research model identified attitude, intention, computing experience, breaching experience, and facilitation condition as the main and direct factors that influence information security behavior in smartphone networks. This study performed several analyses on the investigator-developed survey questionnaire to ensure validity and reliability. Examining all of the proposed direct constructs, this study found that users’ facilitation condition does not have significant impact on the information security behavior in smartphones. This research also showed that gender and employment status have moderating effects on several hypothesized paths. The findings of this research could help information security developers to design better systems that could provide stronger information security for individuals and businesses that share their networks with users’ smartphones

Equipment-as-Experience: A Heidegger-Based Position of Information Security

Information security (InfoSec) has ontologically been characterised as an order machine. The order machine connects with other machines through interrupting mechanisms. This way of portraying InfoSec focuses on the correct placement of machine entities to protect information assets. However, what is missing in this view is that for the InfoSec we experience in everyday practice, we are not just observers of the InfoSec phenomena but also active agents of it. To contribute to the quest, we draw on Heidegger’s (1962) notion of equipment and propose the concept of equipment-as-experience to understand the ontological position of InfoSec in everyday practice. In this paper we show how equipment-as-experience provides a richer picture of InfoSec as being a fundamental sociotechnical phenomena. We further contend using an example case to illustrate that InfoSec equipment should not be understood merely by its properties (present-at-hand mode), but rather in ready-to-hand mode when put into practice

SciTokens: Capability-Based Secure Access to Remote Scientific Data

The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to fail to fetch needed input data or store valuable scientific results, distracting scientists from their research by requiring them to diagnose the problems, re-run their computations, and wait longer for their results. In this paper, we introduce SciTokens, open source software to help scientists manage their security credentials more reliably and securely. We describe the SciTokens system architecture, design, and implementation addressing use cases from the Laser Interferometer Gravitational-Wave Observatory (LIGO) Scientific Collaboration and the Large Synoptic Survey Telescope (LSST) projects. We also present our integration with widely-used software that supports distributed scientific computing, including HTCondor, CVMFS, and XrootD. SciTokens uses IETF-standard OAuth tokens for capability-based secure access to remote scientific data. The access tokens convey the specific authorizations needed by the workflows, rather than general-purpose authentication impersonation credentials, to address the risks of scientific workflows running on distributed infrastructure including NSF resources (e.g., LIGO Data Grid, Open Science Grid, XSEDE) and public clouds (e.g., Amazon Web Services, Google Cloud, Microsoft Azure). By improving the interoperability and security of scientific workflows, SciTokens 1) enables use of distributed computing for scientific domains that require greater data protection and 2) enables use of more widely distributed computing resources by reducing the risk of credential abuse on remote systems.Comment: 8 pages, 6 figures, PEARC '18: Practice and Experience in Advanced Research Computing, July 22--26, 2018, Pittsburgh, PA, US