Regulatory Facilitators and Impediments Impacting Cybersecurity Maturity

Due to society’s increasing reliance on technology (e.g., financial transactions, critical infrastructure, globally-integrated supply chains, etc.), technological disruptions from cyberattacks can have profound implications for virtually all organizations and their stakeholders. In an effort to minimize cyber threats, governments and regulators have been deploying an increasingly comprehensive and complex landscape of regulations; however, the extent to which regulations actually facilitate, or harm, cybersecurity maturity remains nebulous. This research reports the findings of a qualitative study designed to help illuminate this problem space. We interviewed 12 high-ranking experts, associated with a variety of organizations and industries, and analyzed their responses to identify key factors emerging from the data. These factors were found to operate as either facilitators or impediments of cybersecurity maturity. In addition to identifying these factors, we discuss the implications of our findings, limitations, and avenues for future research

Seeing the forest and the trees: A meta-analysis of information security policy compliance literature

A rich stream of research has identified numerous antecedents to employee compliance with information security policies. However, the breadth of this literature and inconsistencies in the reported findings warrants a more in-depth analysis. Drawing on 25 quantitative studies focusing on security policy compliance, we classified 105 independent variables into 17 distinct categories. We conducted a meta-analysis for each category’s relationship with security policy compliance and then analyzed the results for possible moderators. Our results revealed a number of illuminating insights, including (1) the importance of categories associated with employees’ personal attitudes, norms and beliefs, (2) the relative weakness of the link between compliance and rewards/punishment, and (3) the enhanced compliance associated with general security policies rather than specific policies (e.g., anti-virus). These findings can be used as a reference point from which future scholarship in this area can be guided

Man vs. machine: Investigating the effects of adversarial system use on end-user behavior in automated deception detection interviews

Deception is an inevitable component of human interaction. Researchers and practitioners are developing information systems to aid in the detection of deceptive communication. Information systems are typically adopted by end users to aid in completing a goal or objective (e.g., increasing the efficiency of a business process). However, end-user interactions with deception detection systems (adversarial systems) are unique because the goals of the system and the user are orthogonal. Prior work investigating systems-based deception detection has focused on the identification of reliable deception indicators. This research extends extant work by looking at how users of deception detection systems alter their behavior in response to the presence of guilty knowledge, relevant stimuli, and system knowledge. An analysis of data collected during two laboratory experiments reveals that guilty knowledge, relevant stimuli, and system knowledge all lead to increased use of countermeasures. The implications and limitations of this research are discussed and avenues for future research are outline

A Systems Approach to Countermeasures in Credibility Assessment Interviews

Countermeasures, or techniques for hiding guilt during a credibility assessment examination, have long been an important topic in cognitive psychology and criminal justice fields. With recent IS research on automated screening systems, understanding the potential for countermeasures in this new paradigm is of increasing importance. This paper reports on a large experiment examining countermeasures in an automated deception detection screening context. The effectiveness of traditional countermeasure types (mental and physical) are examined, as well as an exploratory approach of trying several countermeasures at once. The exploratory approach was tested to investigate a proposed novel systems-inspired solution to countermeasures—triangulating on deception likelihood using multiple sensors measuring multiple behavioral and psychophysiological anomalies. The findings give credence to the proposition that monitoring multiple heterogeneous cues to deception may be a viable solution for mitigating the effectiveness of countermeasures

Sleight of Hand: Identifying Concealed Information by Monitoring Mouse-Cursor Movements

Organizational members who conceal information about adverse behaviors present a substantial risk to that organization. Yet the task of identifying who is concealing information is extremely difficult, expensive, error-prone, and time-consuming. We propose a unique methodology for identifying concealed information: measuring people’s mouse-cursor movements in online screening questionnaires. We theoretically explain how mouse-cursor movements captured during a screening questionnaire differ between people concealing information and truth tellers. We empirically evaluate our hypotheses using an experiment during which people conceal information about a questionable act. While people completed the screening questionnaire, we simultaneously collected mouse-cursor movements and electrodermal activity—the primary sensor used for polygraph examinations—as an additional validation of our methodology. We found that mouse-cursor movements can significantly differentiate between people concealing information and people telling the truth. Mouse-cursor movements can also differentiate between people concealing information and truth tellers on a broader set of comparisons relative to electrodermal activity. Both mouse-cursor movements and electrodermal activity have the potential to identify concealed information, yet mouse-cursor movements yielded significantly fewer false positives. Our results demonstrate that analyzing mouse-cursor movements has promise for identifying concealed information. This methodology can be automated and deployed online for mass screening of individuals in a natural setting without the need for human facilitators. Our approach further demonstrates that mouse-cursor movements can provide insight into the cognitive state of computer users

Measuring Hacking Ability Using a Conceptual Expertise Task

Hackers pose a continuous and unrelenting threat to organizations. Industry and academic researchers alike can benefit from a greater understanding of how hackers engage in criminal behavior. A limiting factor of hacker research is the inability to verify that self-proclaimed hackers participating in research actually possess their purported knowledge and skills. This paper presents current work in developing and validating a conceptual-expertise based tool that can be used to discriminate between novice and expert hackers. The implications of this work are promising since behavioral information systems researchers operating in the information security space will directly benefit from the validation of this tool. Keywords: hacker ability, conceptual expertise, skill measuremen

Trends in Phishing Attacks: Suggestions for Future Research

One of the most common and costly forms of deception and fraud online is phishing. Due to the ramifications of successfulphishing attacks, security experts and researchers seek to better understand this phenomenon. Prior phishing research hasaddressed the “bait” and “hook” components of phishing attacks, the human-computer interaction that takes place as usersjudge the veracity of phishing emails and websites, and the development of technologies that can aid users in identifying andrejecting these attacks. Despite the extant research on this topic, phishing attacks continue to be successful as tactics evolve,rendering existing research less relevant. Although numerous tools have been created to aid people in recognizing phishingattacks, users disregard the recommendations of these tools. This paper summarizes the core of phishing research, providesan update on trending attack methods, and proposes future research addressing computer credibility in a phishing context

When Disclosure is Involuntary: Empowering Users with Control to Reduce Concerns

Modern organizations must carefully balance the practice of gathering large amounts of valuable data from individuals with the associated ethical considerations and potential negative public image inherent in breaches of privacy. As it becomes increasingly commonplace for many types of information to be collected without individuals\u27 knowledge or consent, managers and researchers alike can benefit from understanding how individuals react to such involuntary disclosures, and how these reactions can impact evaluations of the data-collecting organizations. This research develops and empirically tests a theoretical model that shows how empowering individuals with a sense of control over their personal information can help mitigate privacy concerns following an invasion of privacy. Using a controlled experiment with 94 participants, we show that increasing control can reduce privacy concerns and significantly influence individuals\u27 attitudes toward the organization that has committed a privacy invasion. We discuss theoretical and practical implications of our work

Structural Basis of Chemokine Sequestration by a Tick Chemokine Binding Protein: The Crystal Structure of the Complex between Evasin-1 and CCL3

Chemokines are a subset of cytokines responsible for controlling the cellular migration of inflammatory cells through interaction with seven transmembrane G protein-coupled receptors. The blocking of a chemokine-receptor interaction results in a reduced inflammatory response, and represents a possible anti-inflammatory strategy, a strategy that is already employed by some virus and parasites. Anti-chemokine activity has been described in the extracts of tick salivary glands, and we have recently described the cloning and characterization of such chemokine binding proteins from the salivary glands, which we have named Evasins.We have solved the structure of Evasin-1, a very small and highly selective chemokine-binding protein, by x-ray crystallography and report that the structure is novel, with no obvious similarity to the previously described structures of viral chemokine binding proteins. Moreover it does not possess a known fold. We have also solved the structure of the complex of Evasin-1 and its high affinity ligand, CCL3. The complex is a 1:1 heterodimer in which the N-terminal region of CCL3 forms numerous contacts with Evasin-1, including prominent pi-pi interactions between residues Trp89 and Phe14 of the binding protein and Phe29 and Phe13 of the chemokine.However, these interactions do not appear to be crucial for the selectivity of the binding protein, since these residues are found in CCL5, which is not a ligand for Evasin-1. The selectivity of the interaction would appear to lie in the N-terminal residues of the chemokine, which form the "address" whereas the hydrophobic interactions in the rest of the complex would serve primarily to stabilize the complex. A thorough understanding of the binding mode of this small protein, and its other family members, could be very informative in the design of potent neutralizing molecules of pro-inflammatory mediators of the immune system, such as chemokines