Bait the hook to suit the phish, not the phisherman: A field experiment on security networks of teams to withstand spear phishing attacks on online social networks

In this paper, we present our research in progress of a field experiment conducted to observe the impact of collective security behavior of teams when being targeted with a spear phishing attack on online social networks. To observe the shaping of security networks in teams, fifteen different honeypot profiles were created to send spear phishing messages after an initial bonding of eight weeks to the target group of 76 people. The experiment simulated a regular communication on online social networks of three teams of an international organization. The team members were entangled in personal and individual chats on an online social network to later react to an unexpected and unforeseen spear phishing message. As previous research has shown, various aspects influence the spear phishing susceptibility, but the collective security behavior has currently been neglected. This work plans to evaluate how security networks are being formed, the factors relevant to shape those networks and efforts to protect against spear phishing attacks

Toward an Effective SETA Program: An Action Research Approach

This study uses action research methods at a large US healthcare facility to create a security education training and awareness (SETA) program that is focused on three threats: phishing, unauthorized use of cloud services, and password sharing. The SETA training was based on self-regulation theory. Findings indicate that the training was effective at helping users to identify and avoid all three threats to the environment. Future research directions based on this study are also discussed

Designing A Scalable Intervention for Adult Learners’ Negative Academic Self-concept

Information technology is key to developing efficient tools in traditional education. Little is known, however, about how information technology should be leveraged in continuing education, which is of increasing importance in recent years. This paper aims to meet this research gap by extending a design science research model to continuing education. Specifically, we follow the DSR model to design a scalable intervention targeting negative academic self-concept in continuing education, a key challenge confronting adult learners. This intervention design will leverage augmented reality to deliver a growth mindset of intelligence. On the one hand, augmented reality contributes to active information processing, benefiting adult learners to efficiently build a growth mindset of intelligence. On the other hand, augmented reality provides adequate scalability and flexibility for repeat, relieving the implementation limitation. To summarize, by presenting the way to leverage information technology in continuing education, this study makes both theoretical contributions and practical implications

Optimization of Human, Technological, Administrative Resources for Decision-Making in Information Security Governance

Problems for decision-making in information security governance are persistent because there are no adequate models. The objective is to generate a model that optimizes human, technological and administrative resources for decision-making in the governance of Information Security. The deductive method and exploratory research were used. A resource optimization model with 95% reliability generated by Cronbach's Alpha resulted; the mathematical justification of the business, information and application architecture with 96.13%, 95.89% and 95.20% confidence respectively generated by the Pearson correlation; an enterprise architecture context diagram; and an algorithm expressed with flowchart techniques with 98.21% degree of association in its elements generated by the multiple correlation coefficient. It was concluded that with the proposed model, a company's resources can be optimized for information security governance; so that managers have adequate support for making decisions with a mathematical basis with simulations in quantities of components within the architectures; so that the function in business management becomes simpler by applying a general model that can be adapted to various types of companies to achieve success for decision making in security governance of information security

Contextualizing Gamification Design: Using Extended Achievement Goal Theory to Understand College Learner Differences

Gamification is considered a promising approach to motivating learners. Yet, existing research found an inconsistent motivating impact of gamification designs. This paper explores individual differences in gamification design in the college learning context. Drawing upon the extended achievement goal theory, we posit that individuals’ academic and social achievement goal orientations can portray user types for gamification designs in a learning environment. Using data collected from college students, we validate an instrument to measure college learners’ achievement goal orientations. We subsequently identify three clusters of learners: the Self-image Worriers, the Minimizers, and the Eager Learners. We name this learner taxonomy ASGOL (Academic and Social Goal Orientation Learners). We speculate about gamification design implications for supporting all ASGOL types

Barking Up the Wrong Tree? Reconsidering Policy Compliance as a Dependent Variable within Behavioral Cybersecurity Research

A rich body of research examines the cybersecurity behavior of employees, with a particular focus on explaining the reasons why employees comply with (or violate) organizational cybersecurity policies. However, we posit that this emphasis on policy compliance is susceptible to several notable limitations that could lead to inaccurate research conclusions. In this commentary, we examine the limitations of using cybersecurity policy compliance as a dependent variable by presenting three assertions: (1) the link between policy compliance and organizational-level outcomes is ambiguous; (2) policies vary widely in terms of their clarity and completeness; and (3) employees have an inconsistent familiarity with their own organization’s cybersecurity policies. Taken together, we suggest that studying compliance with cybersecurity policies reveals only a partial picture of employee behavior. In response, we offer recommendations for future research

Do SETA Interventions Change Security Behavior? – A Literature Review

Information security education, training, and awareness (SETA) are approaches to changing end-users’ security behavior. Research into SETA has conducted interventions to study the effects of SETA on security behavior. However, we lack aggregated knowledge on ‘how do SETA interventions influence security behavior?’. This study reviews 21 empirical SETA intervention studies published across the top IS journals. The theoretical findings show that the research has extended Protection Motivation Theory by (1) enhancements to fear appeals; (2) drawing attention to relevance; (3) incorporating temporality; (4) and shifting from intentions to behavior. In terms of behavior, the SETA interventions have targeted (1) information security policy compliance behavior; and (2) information protection behavior. We argue that while these studies have provided insights into security intentions and behavior, knowledge on designing effective SETA training has remained primarily anecdotal. We contribute (1) by pointing out gaps in the knowledge; and (2) by proposing tentative design recommendations

The manager and the safety culture of the organisation: a conceptual model

Safety is a problem that every organization that wants to shape its competitiveness must be able to face in order to maintain its advantage on the market. From the point of view of the management process, the implementer of the organisation’s safety is a manager who – in shaping the organisational culture – must take into account safety factors in the broad sense of the word. Safety culture is a determinant of an organisation operating in the second decade of the 21st century. The aim of the study is to present the proprietary conceptual model of the organisation’s safety culture manager. The article was created as a result of a study of the literature on the subject along with the author’s interpretation

Is Information Systems Research Concerned with Societal Grand Challenges?

“Grand challenges” can provide an important orientation regarding whether research deals with societally relevant problems. Yet, many IS scholars have claimed that IS research is often dealing with issues that are of rather little relevance to societal grand challenges. In this “research-in-progress” study, we examine to which degree IS research is concerned with societal grand challenges. We approach this question by thus far analyzing 329 papers published in the leading AIS ‘Basket of Eight’ (AIS 8) IS journals in the year 2020. Using coding analysis rooted in justification theory to clarify why IS research was performed, we map the justifications given in those papers against the grand challenges as set out in the United Nations (UN) Sustainable Development Goals. The findings indicate that IS research seems to be contributing to some societal challenges (e.g., industrial innovation, economic growth or health), while neglecting many others (e.g., societal equality, environmental sustainability and challenges in developing countries)