Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches

Employees’ non-compliance with IS security procedures is a key concern for organizations. To tackle this problem, there exist several training approaches aimed at changing employees’ behavior. However, the extant literature does not examine the elementary characteristics of IS security training, such as the ways in which IS security training differs from other forms of training. We argue that IS security training needs a theory that both lays down these elementary characteristics and explains how these characteristics shape IS security training principles in practice. We advance a theory that suggests that IS security training has certain elementary characteristics that separate it from other forms of training, and we set a fundamental direction for IS security training practices. Second, the theory defines four pedagogical requirements for designing and evaluating IS security training approaches. We point out that no existing IS security training approach meets all of these requirements and demonstrate how to design an IS security training approach that does meet these requirements. Implications for research and practice are discussed

Are we predisposed to behave securely? Influence of risk disposition on individual security behaviors

Employees continue to be the weak link in organizational security management and efforts to improve the security of employee behaviors have not been as effective as hoped. Researchers contend that security-related decision making is primarily based on risk perception. There is also a belief that, if changed, this could improve security-related compliance. The extant research has primarily focused on applying theories that assume rational decision making e.g. protection motivation and deterrence theories. This work presumes we can influence employees towards compliance with information security policies and by means of fear appeals and threatened sanctions. However, it is now becoming clear that security-related decision making is complex and nuanced, not a simple carrot- and stick-related situation. Dispositional and situational factors interact and interplay to influence security decisions. In this paper, we present a model that positions psychological disposition of individuals in terms of risk tolerance vs. risk aversion and proposes research to explore how this factor influences security behaviors. We propose a model that acknowledges the impact of employees' individual dispositional risk propensity as well as their situational risk perceptions on security-related decisions. It is crucial to understand this decision-making phenomenon as a foundation for designing effective interventions to reduce such risk taking. We conclude by offering suggestions for further research.</p

A descriptive review and classification of organizational information security awareness research

Information security awareness (ISA) is a vital component of information security in organizations. The purpose of this research is to descriptively review and classify the current body of knowledge on ISA. A sample of 59 peer-reviewed academic journal articles, which were published over the last decade from 2008 to 2018, were analyzed. Articles were classified using coding techniques from the grounded theory literature-review method. The results show that ISA research is evolving with behavioral research studies still being explored. Quantitative empirical research is the dominant methodology and the top three theories used are general deterrence theory, theory of planned behavior, and protection motivation theory. Future research could focus on qualitative approaches to provide greater depth of ISA understanding

Malicious User Experience Design Research for Cybersecurity

This paper explores the factors and theory behind the user-centered research that is necessary to create a successful game-like prototype, and user experience, for malicious users in a cybersecurity context. We explore what is known about successful addictive design in the fields of video games and gambling to understand the allure of breaking into a system, and the joy of thwarting the security to reach a goal or a reward of data. Based on the malicious user research, game user research, and using the GameFlow framework, we propose a novel malicious user experience design approac

Designing Information Systems Security Policy Methods: A Meta-Theoretical Approach

Information systems security policy (ISP) is the critical foundation of information systems security. Despite the criticality of the ISP, information systems security scholars have expressed concerns about the lack of theory and limited methodological support for the development of ISP. Existing literature on ISP Development (ISPD) is scattered and lack meta-theoretical approach toward designing ISPD Methods (ISPDM). This paper aims to fill the gap by consolidating extant ISPD approaches and put forth a systematic way by adopting a meta-theoretic approach in defining essential principles for designing ISPD method. After presenting the principles we demonstrate that none of the existing methods are based on all the essential principles

Tree-based Intelligent Intrusion Detection System in Internet of Vehicles

The use of autonomous vehicles (AVs) is a promising technology in Intelligent Transportation Systems (ITSs) to improve safety and driving efficiency. Vehicle-to-everything (V2X) technology enables communication among vehicles and other infrastructures. However, AVs and Internet of Vehicles (IoV) are vulnerable to different types of cyber-attacks such as denial of service, spoofing, and sniffing attacks. In this paper, an intelligent intrusion detection system (IDS) is proposed based on tree-structure machine learning models. The results from the implementation of the proposed intrusion detection system on standard data sets indicate that the system has the ability to identify various cyber-attacks in the AV networks. Furthermore, the proposed ensemble learning and feature selection approaches enable the proposed system to achieve high detection rate and low computational cost simultaneously.Comment: Accepted in IEEE Global Communications Conference (GLOBECOM) 201

Learning leaders matter

Learning leaders position themselves first as learners, then as leaders of other learners. The inherent tensions in this duality are explored in this literature review. Drawing on a broad range of research from education, psychology and neuroscience, the review builds a picture of the situation facing school principals, as leaders of learning communities. The review is directed towards illustrating the professional practice of Developing Self and Others in the Australian Professional Standard for Principals, and focuses on how this practice is demonstrated in the experience of learning leaders. The discussion clarifies key terminology and highlights how leaders need to understand the role of emotions, relationships, attachment behaviours, and collaboration in creating effective and sustainable learning communities. &nbsp;Key issues arising from the literature review include the fact that there is no accepted standard for developing either self or others in the literature. Another is that the idea of developing self or others in a vacuum is becoming increasingly challenged with the realisation that all learning is context specific and interdependent. Finally, an area of considerable dispute in the literature concerns a divide between sociological and psychological standpoints on the role of leader. There is an opportunity for the academy to engage more directly in translating good research into practical orientations that cover the field from a practitioner point of view. The annotated bibliography includes resources from both standpoints