Teaching Tip: Hackalytics: Using Computer Hacking to Engage Students in Analytics

The demand for qualified analytics professionals remains high with forecasts showing a continued need over the next few years. While this demand necessitates instruction in analytics in the classroom, many students find analytics concepts to be complicated and boring. This teaching brief describes a novel approach to teaching analytics through computer hacking. Students are exposed to the entire data lifecycle by first collecting intrusion detection data through the hacking of other student machines and then utilizing simple analytics procedures to analyze this data. Qualitative results show that the students enjoy the activity both in terms of the fun of hacking their fellow classmates as well as analyzing this data in an area less utilized in analytics instruction – security analytics. Three levels of the exercise are provided as well as how-to materials for students to run the exercise

Developing an Unintentional Information Security Misbehavior Scale (UISMS)

Although the number of security incidents and data breaches caused by humans increasing, no well-established scale exists to measure individuals’ information security misbehaviors in interaction with the information systems. Knowing that individuals’ misbehaviors differ in term of intentions, in this research, we identify important unintentional behaviors that users may threaten security through non-malicious actions and develop a unified information security misbehaviors scale aiming to exhibit acceptable psychometric properties. We believe such a measurement tool can help researchers to investigate various causes of human errors in system-user interactions and guide practitioners to make strategic decisions in organizations. Our goal is to build a set of Likert scale questions by exploring literature, security experts’ advice, or adopting security policies implemented in organizations to find out what type of individuals’ mistakes may lead to unintentional security misbehaviors

Understanding employee non-malicious intentional and unintentional information security misbehaviors

Digitization has given rise to information system security (ISS) risks since the adoption of new technologies (e.g., IoT and multi-cloud environments) has increased vulnerabilities to ISS threats. The behavioral ISS literature depicts employees within organizations (insiders) as a major information security threat. Previous research extensively investigated insiders' intentional ISS misbehaviors. However, a growing number of security incidents by non-malicious insiders implies that potential factors influencing employees' non-compliance behaviors with information security policies (ISPs) are yet to be addressed. To this end, we conduct four (four essays) to understand why employees violate ISPs. Two studies investigate factors that lead to non-malicious intentional ISP violations. The other two studies explore how and why non-malicious unintentional ISP violations occur. Drawing on the person-technology fit model, essay 1 investigates how employees' interaction with information technology (IT) increases ISS vulnerabilities. This essay sheds light on the impact of one understudied aspect of IT use- technostress, on employees' non-malicious ISP violation intentions. Essay 2 relies on organizational role theory and explains stress resulting from role expectations, including intra-role activities (e.g., job tasks) and extra-role activities (e.g., ISS requirements) could cause ISP non-compliance behaviors. To distinguish non-malicious intentional insiders from unintentional insiders, Essay 3 employs the dual-system theory to describe the mechanism of employees' decision-making process to comply (or not comply) with ISPs and aims to investigate the impact of some personality traits like risk-taking behaviors, impulsivity, and curiosity on employees' ISS misbehaviors. Finally, to explore unknown factors influencing non-compliance behaviors with ISPs (e.g., individual, organizational), essay 4 proposes an in-depth qualitative approach to distinguish non-malicious intentional and unintentional ISS misbehaviors and identify potential causes rooted in each type of misbehavior. Overall, the dissertation highlights the importance of individual differences in perceptions of technostress, role stress, and personality traits. Moreover, it differentiates the nature of ISP violations based on the intents of employees and challenges the existing knowledge and theoretical frameworks regarding insiders' information security behaviors at the workplace. In doing so, proposed theoretical models are assessed empirically by utilizing data (both interviews and online surveys) from a sample of employees from different organizations

A Qualitative Approach to Understand Unintentional Information Security Misbehaviors

Insiders within organizations increase the risk of security incidents through non-malicious intentions. Previous research extensively investigated potential factors in influencing intentional information security misbehaviors either malicious or non-malicious. However, potential causes rooted in unintentional information security misbehaviors are less known. Drawing on in-depth qualitative approach, this paper seeks to provide a rich understanding of why employees unintentionally violate information security policies. Interviews with employees and information security management teams are conducted across various industries. Following qualitative data analyses, we aim to identify possible organizational and human factors causing unintentional information security misbehaviors and explain to what degree each of these influencers is associated with certain misbehavior. This leads to achieving two main objectives of this study. First, to distinguish the motives of non-malicious unintentional insiders from non-malicious intentional insiders. Second, to challenge the existing knowledge and theoretical frameworks regarding insiders’ information security behaviors at the workplace

Psychological Contract Violations on Information Disclosure: A Study of Institutional Arrangements in Social Media Platforms

Previous research investigating information disclosure with online merchants has extended social contract theory using psychological contracts to explain the nature of the relationship between the consumer and merchant. This research extends the role of psychological contracts to social media platforms (SMP) by investigating how institutional psychological contract violations (PCV) influence trust in the SMP through institutional arrangements. Using a sample from MTurk, we presented two hypothetical scenarios manipulating the degree of PCV. Our findings suggest institutional PCVs act differently on institutional arrangements. Institutional PCVs impact attitudes toward institutional arrangements and trust in the SMP

Inclusion of Gamification Elements in the Context of Virtual Lab Environments to Increase Educational Value

Previous research on gamification and virtual laboratories has suggested that both produce successful educational outcomes, but few studies have looked at both gamification and virtual labs in tandem. Drawing on social cognitive theory, we investigate gamification in the virtual labs’ context to examine whether learners’ educational performance is enhanced. In particular, we employ leaderboards as a motivational gamification mechanism for more engagement and participation that can result in higher learning outcomes. Using a student sample, our results show that using gamification within a virtual lab environment results in higher student performance; specifically, it helps them complete more-complex tasks and increases their self-efficacy. Our findings show promising evidence that gamification in virtual lab learning environments positively influences learning

Will SOC telemetry data improve predictive models of user riskiness? A work in progress

Security Operation Centers (SOC) play a key role in protecting organizations from many cybersecurity threats, such as system intrusion or information breaches. A major challenge in improving SOC operations is the adequacy of the data used to identify such threats. Detection tools employed by SOCs are largely based on observable telemetry indicators (e.g., network traffic patterns or system logs and activities collected from user devices). However, the use of such telemetry data without understanding human behaviors in-depth can lead to increasing false-positive alerts. Prior work shows that it can even be a more significant problem when analysts largely ignore alerts if they are overwhelmingly false-positive. These false positive alerts raise SOC analysts’ cognitive workload, diminish conscious cognitive processing, and decrease their trust in future alerts

Best of Both Worlds: The Inclusion of Gamification in Virtual Lab Environments to Increase Educational Value

Previous research investigating gamification and virtual laboratories has suggested that both are successful in educational outcomes, but few have looked at both gamification and virtual labs in tandem. This research explores the idea of investigating both contexts within one unified platform. We examine whether using gamification within virtual labs is effective in enhancing learners’ educational performance. Particularly, we employ leaderboards as a motivational gamification mechanism for more engagement and participation that can result in higher learning outcomes. Using a sample of students, our results show that utilization of gamification within a virtual lab environment causes students to exhibit higher performance in terms of more task accomplishments (specifically more complex tasks) and higher self-efficacy. The current findings show promising evidence on the positive influence of gamification within virtual lab learning environments

Do measures of security compliance intent equal non-compliance scenario agreement?

To better protect organizations from the threat of insiders, IS security (ISS) research frequently emphasizes IS Security Policy (ISP) behavior. The effectiveness of an assessment model is typically analyzed either using short survey statements (behavior survey) or by using scenario agreement (prospective scenario) to measure current and prospective compliance (or non-compliance) behavior. However, a significant gap is the lack of statistical evidence to demonstrate that these two measures or dependent variables (DV) sufficiently agree with one another. We report on an effort to compare and contrast two assessment models which employed alternate styles of DVs and demonstrate that the primary construct from two different ISS behavioral theories had approximately the same effect size on either of the DVs. Our findings add support for substantial (but not overly correlated) synchronization between the two DV values, since we also observe that the prospective scenario non-compliance measure resulted in lower model fit while the behavior survey compliance measures fit both models with higher accuracy. We discuss our findings and recommend that for many studies there can be value in employing both DVs

Psychological Contract Violation and Sharing Intention on Facebook

While there is a psychological component to every written contract, it is particularly the case for exchanges on social network site (SNS), where users tend to ignore the user agreement. As a form of social exchange, content sharing on SNS is guided by psychological contract, i.e., implicit and assumed reciprocal obligations. This study investigates how psychological contract violations (PCVs) affect people’s sharing intentions on Facebook. Based on a survey of 347 Facebook users, we find that sharing intention is negatively influenced by interpersonal and institutional PCVs through SNS users’ information privacy concern and trust. Interestingly, PCV by another user positively influences the affected user’s perceived violation by the SNS, suggesting a collateral damage of interpersonal PCV towards SNS. This paper adds to the privacy literature on SNS by revealing the fundamental role of PCV that alters users’ trust and information privacy concern in online social exchange