Investigating the tension between cloud-related actors and individual privacy rights

Historically, little more than lip service has been paid to the rights of individuals to act to preserve their own privacy. Personal information is frequently exploited for commercial gain, often without the person’s knowledge or permission. New legislation, such as the EU General Data Protection Regulation Act, has acknowledged the need for legislative protection. This Act places the onus on service providers to preserve the confidentiality of their users’ and customers’ personal information, on pain of punitive fines for lapses. It accords special privileges to users, such as the right to be forgotten. This regulation has global jurisdiction covering the rights of any EU resident, worldwide. Assuring this legislated privacy protection presents a serious challenge, which is exacerbated in the cloud environment. A considerable number of actors are stakeholders in cloud ecosystems. Each has their own agenda and these are not necessarily well aligned. Cloud service providers, especially those offering social media services, are interested in growing their businesses and maximising revenue. There is a strong incentive for them to capitalise on their users’ personal information and usage information. Privacy is often the first victim. Here, we examine the tensions between the various cloud actors and propose a framework that could be used to ensure that privacy is preserved and respected in cloud systems

The Extreme Risk of Personal Data Breaches & The Erosion of Privacy

Personal data breaches from organisations, enabling mass identity fraud, constitute an \emph{extreme risk}. This risk worsens daily as an ever-growing amount of personal data are stored by organisations and on-line, and the attack surface surrounding this data becomes larger and harder to secure. Further, breached information is distributed and accumulates in the hands of cyber criminals, thus driving a cumulative erosion of privacy. Statistical modeling of breach data from 2000 through 2015 provides insights into this risk: A current maximum breach size of about 200 million is detected, and is expected to grow by fifty percent over the next five years. The breach sizes are found to be well modeled by an \emph{extremely heavy tailed} truncated Pareto distribution, with tail exponent parameter decreasing linearly from 0.57 in 2007 to 0.37 in 2015. With this current model, given a breach contains above fifty thousand items, there is a ten percent probability of exceeding ten million. A size effect is unearthed where both the frequency and severity of breaches scale with organisation size like $s^{0.6}$. Projections indicate that the total amount of breached information is expected to double from two to four billion items within the next five years, eclipsing the population of users of the Internet. This massive and uncontrolled dissemination of personal identities raises fundamental concerns about privacy.Comment: 16 pages, 3 sets of figures, and 4 table

An Empirical Assessment of the Use of Password Workarounds and the Cybersecurity Risk of Data Breaches

Passwords have been used for a long time to grant controlled access to classified spaces, electronics, networks, and more. However, the dramatic increase in user accounts over the past few decades has exposed the realization that technological measures alone cannot ensure a high level of IS security; this leaves the end-users holding a critical role in protecting their organization and personal information. The increased use of IS as a working tool for employees increases the number of accounts and passwords required. Despite being more aware of password entropy, users still often participate in deviant password behaviors, known as ‘password workarounds’ or ‘shadow security.’ These deviant password behaviors can put individuals and organizations at risk, resulting in data privacy. This study, engaging 303 IS users and 27 Subject Matter Experts (SMEs), focused on designing, developing, and empirically validating Password Workaround Cybersecurity Risk Taxonomy (PaWoCyRiT)—a model supported on perceived cybersecurity risks from Password Workarounds (PWWA) techniques and their usage frequency. A panel of SMEs validated the PWWA list from existing literature with recommended adjustments. Additionally, the perception level of the cybersecurity risks of each technique was measured from the 27 SMEs and 303 IS users. They also provided their self-reported and reported on coworkers\u27 engagement frequencies related to the PWWA list. Noteworthy, significant differences were found between SMEs and IS users in their aggregated perceptions of cybersecurity risks of the PWWAs, with IS users perceiving higher risks. Engagement patterns varied between the groups, as well as factors like years of IS experience, gender, and job level had significant differences among groups. The PaWoCyRiT was developed to provide insights into password-related risks and behaviors

Overcoming Data Breaches and Human Factors in Minimizing Threats to Cyber-Security Ecosystems

This mixed-methods study focused on the internal human factors responsible for data breaches that could cause adverse impacts on organizations. Based on the Swiss cheese theory, the study was designed to examine preventative measures that managers could implement to minimize potential data breaches resulting from internal employees\u27 behaviors. The purpose of this study was to provide insight to managers about developing strategies that could prevent data breaches from cyber-threats by focusing on the specific internal human factors responsible for data breaches, the root causes, and the preventive measures that could minimize threats from internal employees. Data were collected from 10 managers and 12 employees from the business sector, and 5 government managers in Ivory Coast, Africa. The mixed methodology focused on the why and who using the phenomenological approach, consisting of a survey, face-to-face interviews using open-ended questions, and a questionnaire to extract the experiences and perceptions of the participants about preventing the adverse consequences from cyber-threats. The results indicated the importance of top managers to be committed to a coordinated, continuous effort throughout the organization to ensure cyber security awareness, training, and compliance of security policies and procedures, as well as implementing and upgrading software designed to detect and prevent data breaches both internally and externally. The findings of this study could contribute to social change by educating managers about preventing data breaches who in turn may implement information accessibility without retribution. Protecting confidential data is a major concern because one data breach could impact many people as well as jeopardize the viability of the entire organization

From Convergence to Compromise: Understanding the Interplay of Digital Transformation and Mergers on Data Breach Risks in Local and Cross-Border Mergers

In today\u27s digital age, the potential risks and challenges associated with digital transformation (DT) and cybersecurity have received limited research attention. This dissertation consists of three interconnected studies that aim to address this gap. The first study employs paradox theory to demonstrate that DT initiatives can increase a firm\u27s susceptibility to data breaches. Using a unique dataset spanning 10 years and involving 3604 brands, our analysis reveals that DT efforts in mobile and digital marketing are associated with a higher incidence of data breaches. However, firms can mitigate this impact by enhancing their innovative capacities. These findings contribute to a better understanding of the complex relationship between DT, data breaches, and innovation. Our second investigation, rooted in complexity theory and matching theory, examines the impact of mergers and acquisitions (M&As) on the frequency of data breaches. By analyzing 18 years of data from 5072 US firms, we find that M&As increase the likelihood of data breaches, particularly when the merging firms operate in different business domains. Furthermore, we observe that M&As that receive more media attention are more prone to data breaches, while those involving a more vulnerable target firm have fewer breaches. In our third study, guided by Institutional theory, we explore the relationship between cross-border mergers and acquisitions (CBMA) and data breaches. Our findings indicate that CBMAs, especially those accompanied by significant media publicity and involving firms from divergent institutional contexts, heighten the risk of data breaches. Overall, these studies provide valuable insights for firms aiming to mitigate data breach risks during their digital transformation (DT) efforts and M&A activities. They emphasize the importance of adopting a balanced communication strategy and considering the security implications of strategic actions. Moreover, our findings contribute to the academic discourse in information systems by illuminating the intricate interplay between DT, M&As, and data breaches

Cybersecurity Challenges and Solutions in the Fintech Mobile App Ecosystem

The rapid growth of the fintech industry, driven by the proliferation of mobile applications, has revolutionized financial services, providing unprecedented convenience to users. However, this innovation comes with inherent cybersecurity challenges that demand rigorous attention. This study delves into the complex and ever-evolving landscape of cybersecurity within the fintech mobile app ecosystem, aiming to identify challenges and present viable solutions. Cybersecurity threats in the fintech mobile app ecosystem encompass a broad spectrum, including data breaches, malware attacks, phishing schemes, and identity theft. As fintech apps handle sensitive financial data and transactions, they are prime targets for malicious actors seeking financial gain. To address these threats, this research examines current cybersecurity strategies and emerging technologies, such as advanced encryption, biometric authentication, and AI-driven anomaly detection. Furthermore, regulatory frameworks and industry standards play a crucial role in shaping cybersecurity practices within fintech. This study assesses the impact of compliance requirements on fintech companies and their ability to protect user data. Real-world case studies and incident analyses provide valuable insights into the consequences of cybersecurity breaches in this sector. Ultimately, this research aims to contribute to a comprehensive understanding of the multifaceted cybersecurity challenges faced by the fintech mobile app ecosystem and offers practical recommendations for fintech firms, regulators, and cybersecurity professionals to enhance security measures. Strengthening the security foundation is paramount to sustaining user trust, fostering continued innovation, and securing the future of mobile fintech

Breach Notification Requirements Under the European Union Legal Framework: Convergence, Conflicts, and Complexity in Compliance, 31 J. Marshall J. Info. Tech. & Privacy L. 317 (2014)

The European Union (EU) legal landscape on data privacy and information security is undergoing significant changes. A prominent legislative development in recent years is the introduction of breach notification requirements within a number of regulatory instruments. In only the past two years, the Community legislator has adopted, and proposed, four different regulatory instruments containing breach notification requirements. There are also existing requirements for the telecom sector. This creates a complex mesh of regulatory frameworks for breach notification where different aspects of the same breach within the same company might have to be dealt with under different regulatory instruments, making compliance with such requirements challenging. In this article, the existing and en route breach notification requirements under the EU legal framework are examined – elaborating their potential areas of convergence or conflict and the resulting complexity in compliance with such requirements. To this end, the article examines the scope of the notification regimes, the types of breaches, when a breach is considered to occur under the relevant rules, and the relevant requirements to notify stakeholders. Furthermore, the article examines why a proactive approach to compliance with breach notification requirements is essential and suggests the need to address breach notification requirements in conjunction with security risk analysis, which is being mandated in most of the regulatory instruments

The Influence of Cognitive Factors and Personality Traits on Mobile Device User\u27s Information Security Behavior

As individuals have become more dependent on mobile devices to communicate, to seek information, and to conduct business, their susceptibility to various threats to information security has also increased. Research has consistently shown that a user’s intention is a significant antecedent of information security behavior. Although research on user’s intention has expanded in the last few years, not enough is known about how cognitive factors and personality traits impact the adoption and use of mobile device security technologies. The purpose of this research was to empirically investigate the influence of cognitive factors and personality traits on mobile device user’s intention in regard to mobile device security technologies. A conceptual model was developed by combining constructs from both the Protection Motivation Theory (PMT) and the Big Five Factor Personality Traits. The data was collected using a web-based survey according to specific inclusion and exclusion criteria. Respondents were limited to adults 18 years or older who have been using their mobile devices to access the internet for at least one year. The Partial Least Square Structural Equation Modeling (PLS-SEM) was used to analyze the data gathered from a total of 356 responses received. The findings of this study show that perceived threat severity, perceived threat susceptibility, perceived response costs, response efficacy, and mobile self-efficacy have a significant positive effect on user’s intention. In particular, mobile self-efficacy had the strongest effect on the intention to use mobile device security technologies. Most of the personality traits factors were not found significant, except for conscientiousness. The user’s intention to use mobile device security technologies was found to have a significant effect on the actual usage of mobile device security technologies. Hence, the results support the suitability of the PMT and personality factors in the mobile device security technologies context. This study has contributed to information security research by providing empirical results on factors that influence the use of mobile device security technologies

The effect of information security breaches on publicly listed companies’ business performance : Research about the impact of distinct information security breach types on stock market value of publicly listed companies

The negative repercussions of cyber threats on business entities are substantial. However, the existing body of research on this topic presents contradictory or imprecise findings, impeding the establishment of a consensus on effective prevention or mitigation strategies. Compounding this issue is the lack of precision and standardization in measuring and categorizing information security breaches. This study aims to enhance our understanding of the direct and long-term impacts of information security breaches on business performance, specifically by utilizing a novel classification to measure differential impacts on the stock market value of publicly listed companies. To achieve this, the following research question is posed: What are the respective impacts of disruptive and exploitative information security breaches on the stock market value of publicly listed companies, and how do these impacts evolve over time? Drawing on prior research indicating the relevance of disruptive and exploitative characteristics in understanding the effects of information security breaches on victim companies, this study seeks to improve precision and standardization in breach measurement. To answer the research question, an extensive quantitative analysis is conducted using the Cyber Event Database from the University of Maryland and historical stock market data. The investigation focuses on identifying correlations between information security breaches and stock market responses. The findings reveal that information security breaches significantly harm business performance in the short- and long-term, particularly when breaches exhibit exploitative characteristics. Moreover, these adverse effects persist long after the occurrence of the breach. The outcomes of this research provide decision-makers with valuable insights to better comprehend, anticipate, and prepare for the persistent threats posed by information security breaches. Additionally, this study contributes to existing research by expanding upon previous works. Nevertheless, further research is warranted to gain a more comprehensive understanding of the intricate dynamics within cyberspace