Secure or usable computers? Revealing employees’ perceptions and trade-offs by means of a discrete choice experiment

It is often suggested in the literature that employees regard technical security measures (TSMs) as user-unfriendly, indicating a trade-off between security and usability. However, there is little empirical evidence of such a trade-off, nor about the strength of the associated negative correlation and the importance employees attach to both properties. This paper intends to fill these knowledge gaps by studying employees’ trade-offs concerning the usability and security of TSMs within a discrete choice experiment (DCE) framework. In our DCE, employees are asked to indicate the most preferred security packages that describe combinations of TSMs. In addition, security and usability perceptions of the security packages are explicitly measured and modelled. The models estimated from these observed responses indicate how each TSM affects perceived security, perceived usability and preference. The paper further illustrates how the modelling results can be applied to design highly secure packages that are still preferred by employees. The paper also makes a methodological contribution to the literature by introducing discrete choice experiments to the field of information security.Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.Transport and LogisticsSafety and Security Scienc

Strategies Security Managers Used to Prevent Security Breaches in SCADA Systems\u27 Networks

Supervisory Control and Data Acquisition (SCADA) systems monitor and control physical processes in critical infrastructure. The impact of successful attacks on the SCADA systems includes the system\u27s downtime and delay in production, which may have a debilitating effect on the national economy and create critical human safety hazards. Grounded in the general systems theory, the purpose of this qualitative multiple case study was to explore strategies SCADA security managers in the Southwest region of the United States use to secure SCADA systems\u27 networks. The participants comprised six SCADA security managers from three oil and gas organizations in the midstream sector located within this region. Data were collected using semistructured interviews and a review of organizational documents. Four themes emerged from the thematic analysis: (a) the importance of security awareness and workforce security training, (b) the use of technical control mechanisms, (c) the establishment of standard security policies, and (d) the use of access and identity management techniques. A key recommendation is for IT managers to adopt security awareness and workforce security training to strengthen the security chain\u27s most vulnerable link. The implications for positive social change include the potential to prevent consequences such as loss of lives, damage to the environment, and the economy resulting from malicious activities

Exploring Strategies for Implementing Information Security Training and Employee Compliance Practices

Humans are the weakest link in any information security (IS) environment. Research has shown that humans account for more than half of all security incidents in organizations. The purpose of this qualitative case study was to explore the strategies IS managers use to provide training and awareness programs that improve compliance with organizational security policies and reduce the number of security incidents. The population for this study was IS security managers from 2 organizations in Western New York. Information theory and institutional isomorphism were the conceptual frameworks for this study. Data collection was performed using face-to-face interviews with IS managers (n = 3) as well as secondary data analysis of documented IS policies and procedures (n = 28). Analysis and coding of the interview data was performed using a qualitative analysis tool called NVivo, that helped identify the primary themes. Developing IS policy, building a strong security culture, and establishing and maintaining a consistent, relevant, and role-based security awareness and training program were a few of the main themes that emerged from analysis. The findings from this study may drive social change by providing IS managers additional information on developing IS policy, building an IS culture and developing role-specific training and awareness programs. Improved IS practices may contribute to social change by reducing IS risk within organizations as well as reducing personal IS risk with improved IS habits

CYBER SECURITY @ HOME: The Effect of Home User Perceptions of Personal Security Performance on Household IoT Security Intentions

This study explored potential human factors predictors of home user security intentions through the lens of past performance, perceived self-efficacy, and locus of control. While perceived self-efficacy and locus of control are elements in several organizational and individual security models, past performance has been less frequently studied. The variable, past performance, which has been referred to in other studies as prior experience, knowledge, and information security awareness, is usually a single question self-assessment of familiarity or comfort with technology. This study explores user technical prowess in further depth, using formal technical education, informal technical education, employment in an IT/CS field, and self-reported email and internet security measures as a measurement of technical ability. Security intentions were determined by best practices in hardware security, network security, and IoT device protection. Studying IoT security in home users is important because there are 26.6 billion devices connected to the Internet already, with 127 devices are being added to the network every second, which creates a very large attack surface if left unsecured. Unlike organizations, with dedicated IT departments, home users must provide their own security within their network. Instead of building security around the user, this research attempts to determine what human factors variables effect intentions to use existing security technologies. Through an online survey, home users provided information on their background, device usage, perceived ability to perform security behaviors, level of control over their environment, current security intentions, and future security intentions. Hierarchical linear regression, path modeling, and structural equation modeling determined that past performance was consistently the strongest predictor of security intentions for home users. Self-efficacy and locus of control had varying results among the disparate methods. Additionally, exposure to security concepts through the survey had an effect on user security intentions, as measured at the end of the survey. This research contributed an initial model for the effects of past performance, self-efficacy, and locus of control on security intentions. It provided verification for existing self-efficacy and locus of control measurements, as well as comprehensive, modular security intentions survey questions. Additionally, this study provided insight into the effect of demographics on security intentions

Exploring Strategies for Enforcing Cybersecurity Policies

Some cybersecurity leaders have not enforced cybersecurity policies in their organizations. The lack of employee cybersecurity policy compliance is a significant threat in organizations because it leads to security risks and breaches. Grounded in the theory of planned behavior, the purpose of this qualitative case study was to explore the strategies cybersecurity leaders utilize to enforce cybersecurity policies. The participants were cybersecurity leaders from 3 large organizations in southwest and northcentral Nigeria responsible for enforcing cybersecurity policies. The data collection included semi-structured interviews of participating cybersecurity leaders (n = 12) and analysis of cybersecurity policy documents (n = 20). Thematic analysis identified 4 primary themes: security awareness and training, communication, management support, and technology control. A key recommendation is that organizations should have a chief information security officer for oversight of cybersecurity. Employee cybersecurity compliance should be reviewed regularly throughout the year for improvement and desired cybersecurity behavior. The implications for positive social change include the potential for cybersecurity leaders to implement cybersecurity measures that could enhance the public’s confidence by assuring them of their data’s safety and confidentiality, the integrity of data, and the availability of their services