Modeling inertia causatives:validating in the password manager adoption context

Cyber criminals are benefiting from the fact that people do not take the required precautions to protect their devices and communications. It is the equivalent of leaving their home’s front door unlocked and unguarded, something no one would do. Many efforts are made by governments and other bodies to raise awareness, but this often seems to fall on deaf ears. People seem to resist changing their existing cyber security practices: they demonstrate inertia. Here, we propose a model and instrument for investigating the factors that contribute towards this phenomenon

A descriptive review and classification of organizational information security awareness research

Information security awareness (ISA) is a vital component of information security in organizations. The purpose of this research is to descriptively review and classify the current body of knowledge on ISA. A sample of 59 peer-reviewed academic journal articles, which were published over the last decade from 2008 to 2018, were analyzed. Articles were classified using coding techniques from the grounded theory literature-review method. The results show that ISA research is evolving with behavioral research studies still being explored. Quantitative empirical research is the dominant methodology and the top three theories used are general deterrence theory, theory of planned behavior, and protection motivation theory. Future research could focus on qualitative approaches to provide greater depth of ISA understanding

Critical success factors for integrating security into a DevOps environment

Integrating security into a DevOps environment, also known as DevSecOps, can allow organisations to deliver more secure applications and services faster to market. While many publications address the theoretical benefits and challenges of security integration, there is a lack of practical insight to guide organisations towards a successful integration. As a result, many organisations fail to achieve DevSecOps due to the historical differences that hinder collaboration between teams. This study investigates the critical success factors for DevSecOps integration using a case study approach. Semi-structured interviews were held with eight senior staff members directly involved in establishing DevSecOps integration within a large organisation. Thematic analysis of data across three categories (people, processes, and technology) identified eight major themes: executive support, security champions, security training, way-of-working, governance framework, secure pipeline, automation, and technology. Based on these findings a framework is proposed to inform and guide organisations on DevSecOps integration

Critical success factors for integrating security into a DevOps environment

Integrating security into a DevOps environment, also known as DevSecOps, can allow organisations to deliver more secure applications and services faster to market. While many publications address the theoretical benefits and challenges of security integration, there is a lack of practical insight to guide organisations towards a successful integration. As a result, many organisations fail to achieve DevSecOps due to the historical differences that hinder collaboration between teams. This study investigates the critical success factors for DevSecOps integration using a case study approach. Semi-structured interviews were held with eight senior staff members directly involved in establishing DevSecOps integration within a large organisation. Thematic analysis of data across three categories (people, processes, and technology) identified eight major themes: executive support, security champions, security training, way-of-working, governance framework, secure pipeline, automation, and technology. Based on these findings a framework is proposed to inform and guide organisations on DevSecOps integration

Aspects of Digital Forensics in South Africa

This paper explores the issues facing digital forensics in South Africa. It examines particular cyber threats and cyber threat levels for South Africa and the challenges in addressing the cybercrimes in the country through digital forensics. The paper paints a picture of the cy-bercrime threats facing South Africa and argues for the need to develop a skill base in digi-tal forensics in order to counter the threats through detection of cybercrime, by analyzing cybercrime reports, consideration of current legislation, and an analysis of computer foren-sics course provision in South African universities. The paper argues that there is a need to develop digital forensics skills in South Africa through university programs, in addition to associated training courses. The intention in this paper is to promote debate and discussion in order to identify the cyber threats to South Africa and to encourage the development of a framework to counter the threats – through legislation, high tech law enforcement structures and protocols, digital forensics education, digital forensics skills development, and a public and business awareness of cybercrime threats

Factors influencing the intention to adopt NFC mobile payments – A South African perspective

Near-field communication (NFC) is an emerging technology that is receiving global attention. NFC mobile payments are being deployed by many hardware vendors, technology companies and financial institutions. Their aim is to facilitate the use of mobile phones as a contactless payment device. A problem is the uncertainty around consumer adoption of this emerging technology. In this study we examined several factors from prior mobile payment studies, as antecedents of the intention to adopt NFC mobile payments. We present results from an online survey of 331 respondents, testing our proposed research model. Using the PLS approach to structural equation modeling (SEM) we find that security and trust concerns play a significant role in influencing perceived risk. Social influence and ease of use have a significant positive effect on perceived value. We find that perceived value is the only significant factor influencing the intention to adopt. Our findings support previous studies in the mobile payments domain. Our model can be of practical value in deciding where to invest resources in the marketing and deployment of such technologies

Revealing the cyber security non-compliance “attribution gulf”

Non-compliance is a well-known issue in the field of cyber security. Non-compliance usually manifests in an individual’s sins of omission or commission, and it is easy to conclude that the problem is attributable to their personal flawed decision making. However, the individual’s decision not to comply is likely also to be influenced by a range of environmental and contextual factors. Bordieu, for example, suggests that personal habitus influences decisions. We identified a wide range of possible explanations for non-compliance from the research literature and classified these, finding that a number of the identified factors were indeed habitus related. We then used Q-methodology to determine which of these non-compliance explanations aligned with public attributions of non-compliance causatives. We discovered an “attribution gulf”, with popular opinion attributing non-compliance primarily to individual failings or ignorance. The existence of this attribution gap means that those designing cyber security interventions are likely to neglect the influence of habitus on choices and decisions. We need to broaden our focus if non-compliance is to be reduced

A cyber situational awareness model to predict the implementation of cyber security controls and precautions by SMEs

PurposeThere is widespread concern about the fact that small- and medium-sized enterprises (SMEs) seem to be particularly vulnerable to cyberattacks. This is perhaps because smaller businesses lack sufficient situational awareness to make informed decisions in this space, or because they lack the resources to implement security controls and precautions.Design/methodology/approachIn this paper, Endsley’s theory of situation awareness was extended to propose a model of SMEs’ cyber situational awareness, and the extent to which this awareness triggers the implementation of cyber security measures. Empirical data were collected through an online survey of 361 UK-based SMEs; subsequently, the authors used partial least squares modeling to validate the model.FindingsThe results show that heightened situational awareness, as well as resource availability, significantly affects SMEs’ implementation of cyber precautions and controls.Research limitations/implicationsWhile resource limitations are undoubtedly a problem for SMEs, their lack of cyber situational awareness seems to be the area requiring most attention.Practical implicationsThe findings of this study are reported and recommendations were made that can help to improve situational awareness, which will have the effect of encouraging the implementation of cyber security measures.Originality/valueThis is the first study to apply the situational awareness theory to understand why SMEs do not implement cyber security best practice measures

Security fatigue:a case study of data specialists

Due to the number of data breaches occurring worldwide there is increasing vigilance regarding information security. Organisations employ a variety of technical, formal, and informal security controls but also rely on employees to safeguard information assets. This relies heavily on compliance and constantly challenges employees with security-related tasks. Security compliance behaviour is a finite resource and when employees engage in cost-benefit analyses that extend tolerance thresholds, security fatigue may set in. Security fatigue has been described as a despondency and weariness to experience any further security tasks. This study used a case study approach to investigate employee security fatigue, focusing on data specialists. Primary data was collected through semi-structured interviews with 12 data specialists in a large financial services company. A thematic analysis of the data revealed several interlinked themes that evidence security fatigue. Awareness and understanding of these themes can help organisations to monitor for this and tailor security activities, such as security education, training, and awareness for increased effectiveness