Measuring attitude towards personal data for adaptive cybersecurity

Purpose: This paper presents an initial development of a Personal Data Attitude (PDA) measurement instrument based on established psychometric principles. The aim of the research was to develop a reliable measurement scale for quantifying and comparing attitudes towards personal data that can be incorporated into cybersecurity behavioral research models. Such a scale has become necessary for understanding individuals’ attitudes towards specific sets of data as more technologies are being designed to harvest, collate, share and analyze personal data. Design/methodology/approach: An initial set of 34 five-point Likert style items were developed with 8 sub-scales and administered to participants online. The data collected were subjected to Exploratory and Confirmatory factor analysis and some MANOVA. The results are consistent with multi-dimensionality of attitude theories and suggest the adopted methodology for the study is appropriate for future research with a more representative sample. Findings: Factor analysis of 247 responses identified 6 constructs of individuals’ attitude towards personal data: Protective Behavior, Privacy Concerns, Cost-Benefit, Awareness, Responsibility and Security. This paper illustrates how the PDA scale can be a useful guide for information security research and design by briefly discussing the factor structure of the PDA and related results. Originality/value: This study addresses a genuine gap in the research by taking the first step towards establishing empirical evidence for dimensions underlying personal data attitudes. It also adds a significant benchmark to a growing body of literature on understanding and modelling computer users’ security behaviors

Exploring user behavioral data for adaptive cybersecurity

This paper describes an exploratory investigation into the feasibility of predictive analytics of user behavioral data as a possible aid in developing effective user models for adaptive cybersecurity. Partial least squares structural equation modeling is applied to the domain of cybersecurity by collecting data on users’ attitude towards digital security, and analyzing how that influences their adoption and usage of technological security controls. Bayesian-network modeling is then applied to integrate the behavioral variables with simulated sensory data and/or logs from a web browsing session and other empirical data gathered to support personalized adaptive cybersecurity decision-making. Results from the empirical study show that predictive analytics is feasible in the context of behavioral cybersecurity, and can aid in the generation of useful heuristics for the design and development of adaptive cybersecurity mechanisms. Predictive analytics can also aid in encoding digital security behavioral knowledge that can support the adaptation and/or automation of operations in the domain of cybersecurity. The experimental results demonstrate the effectiveness of the techniques applied to extract input data for the Bayesian-based models for personalized adaptive cybersecurity assistance

Cybersecurity Strategies for Universities With Bring Your Own Device Programs

The bring your own device (BYOD) phenomenon has proliferated, making its way into different business and educational sectors and enabling multiple vectors of attack and vulnerability to protected data. The purpose of this multiple-case study was to explore the strategies information technology (IT) security professionals working in a university setting use to secure an environment to support BYOD in a university system. The study population was comprised of IT security professionals from the University of California campuses currently managing a network environment for at least 2 years where BYOD has been implemented. Protection motivation theory was the study\u27s conceptual framework. The data collection process included interviews with 10 IT security professionals and the gathering of publicly-accessible documents retrieved from the Internet (n = 59). Data collected from the interviews and member checking were triangulated with the publicly-accessible documents to identify major themes. Thematic analysis with the aid of NVivo 12 Plus was used to identify 4 themes: the ubiquity of BYOD in higher education, accessibility strategies for mobile devices, the effectiveness of BYOD strategies that minimize risk, and IT security professionals\u27 tasks include identifying and implementing network security strategies. The study\u27s implications for positive social change include increasing the number of users informed about cybersecurity and comfortable with defending their networks against foreign and domestic threats to information security and privacy. These changes may mitigate and reduce the spread of malware and viruses and improve overall cybersecurity in BYOD-enabled organizations

The Empirical Study of the Factors that Influence Threat Avoidance Behavior in Ransomware Security Incidents

Ransomware security incidents have become one of the biggest threats to general computer users who are oblivious to the ease of infection, severity, and cost of the damage it causes. University networks and their students are susceptible to ransomware security incidents. College students have vast technical skills and knowledge, however they risk ransomware security incidents because of their lack of mitigating actions to the threats and the belief that it would not happen to them. Interaction with peers may play a part in college students’ perception of the threats and behavior to secure their computers. Identifying what influences students’ threat avoidance behavior in the face of ransomware security incidents is essential to managing students’ behaviors to protect their personal and university computer systems. The goal of this research is to empirically examine threat avoidance behavior in the context of ransomware security incidents among college students. The research model extends the Technology Threat Avoidance Theory with the addition of the factors of subjective norm, attitude toward knowledge sharing, and experience of threat. The study focuses on the effects these factors have on threat avoidance behavior. These factors determine if externalities such as social pressures or previous experiences of threat influence avoidance behavior. This study was a quantitative and empirical study using a non-probability design for gathering data. The convenience sampling method was used to collect data using a survey instrument. The items of the survey instrument were designed using the 7-point Likert Scale. The data was collected from 174 United States college students using an online survey tool. Prior to the main data collection effort, an expert panel review and a pilot study were conducted. Pre-analysis data screening was conducted before analyzing the data. Data analysis with survey data was conducted using Partial Least Square Structural Equation Modeling (PLS-SEM) using SmartPLS 3.0. The results of the study showed a positive and significant relationship between avoidance motivation and threat avoidance behavior. Subjective norm was found to have a positive effect on attitude towards knowledge sharing. However, the relationship between subjective norm and response efficacy was not significant. The study contributes to the body of knowledge by providing empirical evidence about the effect of factors of threat avoidance behavior on ransomware security incidents among college students. It provides insight into the experience and preparedness of students to deal with the threat of ransomware

Employees’ behavior in phishing attacks: what individual, organizational and technological factors matter?

Phishing, as a social engineering attack has become an increasing threat to organizations in cyberspace. To prevent this, a well-designed continuous security training and educational program needs to be established and enforced in organizations. Prior studies have focused on phishing attack from a limited view of technology countermeasure, e-mail’s characteristic, information processing, and securing individual’s behaviors to tackle existing gaps. In this research, we developed a theoretical model of factors that influence users in the clicking of phishing e-mails from a broader Socio-Technical perspective. We applied Protection Motivation Theory (PMT) and habit theory for investigating individual factors, Theory of Planned Behavior (TPB) and Deterrence Theory for investigating organizational and technological factors accordingly. The findings revealed habit and protective countermeasure positively affect clicking on phishing e-mails, whereas, no effect of the procedural countermeasures was evident. The results of this study can be used to design phishing simulation exercise and embedded training for vulnerable employees