SecurityCom: A Multi-Player Game for Researching and Teaching Information Security Teams

A major portion of government and business organizations’ attempts to counteract information security threats is teams of security personnel. These teams often consist of personnel of diverse backgrounds in specific specialties such as network administration, application development, and business administration, resulting in possible conflicts between security, functionality, and availability. This paper discusses the use of games to teach and research information security teams and outlines research to design and build a simple, team-oriented, configurable, information security game. It will be used to study how information security teams work together to defend against attacks using a multi-player game, and to study the use of games in training security teams. Studying how information security teams work, especially considering the topic of shared-situational awareness, could lead to better ways of forming, managing, and training teams. Studying the effectiveness of the game as a training tool could lead to better training for security teams

A Response to the AIS Bright ICT Initiative

In 2015, the President of the Associate for Information Systems introduced the Bright ICT Initiative (Lee 2015), which provides a framework for improving Internet security based on four principles: origin responsibility, deliverer responsibility, rule-based digital search warrants, and traceable anonymity. We review these principles and show that at least three of these principles are at odds with the United Nation\u27s Universal Declaration of Human Rights and the founding principles of the Internet and may actually decrease individual security. We conclude giving suggestions for developing principles more in line with human rights

Interplay of Desktop and Mobile Apps with Web Services in an Introductory Programming Course

This paper describes a case study of a second-semester introductory programming course for information systems (IS) students that combined desktop and mobile application development and consumption of existing web services. Our aim was to provide students with a holistic view of how different types of applications can be developed and combined to solve real-world problems, as the students learned the basics of programming. Students progressively built a desktop Java application with a graphical user interface for a local public transit system. It combined the use of basic algorithms, existing web services for geo-coding and mapping to illustrate a recommended route on the system. Students then ported this application to the Android platform re-using most of the code they had already developed. Along with fulfilling the traditional objectives of an introductory course, this course also demonstrated the possible interplay of stand-alone components and web services in desktop and mobile applications and kept the students motivated and engaged throughout the semester

Expressing uncertainty in security analytics research: a demonstration of Bayesian analysis applied to binary classification problems

A common application of security analytics is binary classification problems, which are typically assessed using measures derived from signal detection theory, such as accuracy, sensitivity, and specificity. However, these measures fail to incorporate the uncertainty inherent to many contexts into the results. We propose that the types of binary classification problems studied by security researchers can be described based on the level of uncertainty present in the data. We demonstrate the use of Bayes data analysis in security contexts with varying levels of uncertainty and conclude that Bayesian analysis is particularly relevant in applications characterized by high uncertainty. We discuss how to apply similar analyses to other information security research

Protection Motivation and Deterrence: Evidence from a Fortune 100 Company

This paper contains a conceptual replication of Herath and Rao (2009), who tested the Integrated Protection Motivation Theory (PMT) and General Deterrence Theory (GDT) model of security policy compliance under the umbrella of the Decomposed Theory of Planned Behavior (DTPB). This study replicates their research model except for the Response Cost construct. In contrast to the original study, all data for this replication comes from a single organization, and the survey instrument references a security policy specific to this organization, not generic security policies in multiple organizations. Our results, based on 437 observations, confirm some of the original findings but not all. Relationships stemming from Organizational Commitment, Resource Availability, Security Breach concern level and Subjective Norms are similar across both studies. The findings for other relationships drawn from PMT, GDT, and TPB are mixed. We believe that the evidence provided in this conceptual replication of the Integrated Model (Herath & Rao, 2009) supports the robustness of parts of the model. We encourage future research and practice to focus on replicating and confirming the parts of the model that are similar in both studies

A Model for the Impact of Task Complexity on Deception in a Group Decision Making Task

This paper reports the results of a pilot study of a group decision making task. A research model and hypotheses are presented related to the larger main study which has yet to be conducted. The purpose of this series of studies is to investigate the impact of task complexity on truthful and deceptive participants in a group computer mediated communication (CMC) scenario. The pilot study tests perceived task difficulty when task complexity is manipulated. The results show the desired difference in task complexity is perceived by the participants. These results set the stage for the next phase of this study in which a deception manipulation will be introduced

Employees’ Adherence to Information Security Policies: A Partial Replication

This paper conducts a partial replication of (Siponen et al. 2014) which developed a multi-theory based model that explained employees’ adherence to security policies. Their paper combined elements from Protection Motivation Theory (PMT), the Theory of Reasoned Action, and Cognitive Evaluation Theory. This study is a partial conceptual replication of the PMT portion of their model. We collected our data from employees of a large mid-western university. Our results, based on 110 records contradict the findings of the original study. Where, three of the four constructs in the original study (Severity, Vulnerability, and Self-Efficacy) were found to be significant, our study found the opposite, the only significant path was Response Efficacy. Our study failed to replicate the findings in the original paper. Future studies are encouraged to methodically replicate the original study by using the same measures, treatments and statistics

The rise of inconspicuous consumption

Ever since Veblen and Simmel, luxury has been synonymous with conspicuous consumption. In this conceptual paper we demonstrate the rise of inconspicuous consumption via a wide-ranging synthesis of the literature. We attribute this rise to the signalling ability of traditional luxury goods being diluted, a preference for not standing out as ostentatious during times of economic hardship, and an increased desire for sophistication and subtlety in design in order to further distinguish oneself for a narrow group of peers. We decouple the constructs of luxury and conspicuousness, which allows us to reconceptualise the signalling quality of brands and the construct of luxury. This also has implications for understanding consumer behaviour practices such as counterfeiting and suggests that consumption trends in emerging markets may take a different path from the past

Automated Analysis Techniques for Online Conversations with Application in Deception Detection

Email, chat, instant messaging, blogs, and newsgroups are now common ways for people to interact. Along with these new ways for sending, receiving, and storing messages comes the challenge of organizing, filtering, and understanding them, for which text mining has been shown to be useful. Additionally, it has done so using both content-dependent and content-independent methods.Unfortunately, computer-mediated communication has also provided criminals, terrorists, spies, and other threats to security a means of efficient communication. However, the often textual encoding of these communications may also provide for the possibility of detecting and tracking those who are deceptive. Two methods for organizing, filtering, understanding, and detecting deception in text-based computer-mediated communication are presented.First, message feature mining uses message features or cues in CMC messages combined with machine learning techniques to classify messages according to the sender's intent. The method utilizes common classification methods coupled with linguistic analysis of messages for extraction of a number of content-independent input features. A study using message feature mining to classify deceptive and non-deceptive email messages attained classification accuracy between 60\% and 80\%.Second, speech act profiling is a method for evaluating and visualizing synchronous CMC by creating profiles of conversations and their participants using speech act theory and probabilistic classification methods. Transcripts from a large corpus of speech act annotated conversations are used to train language models and a modified hidden Markov model (HMM) to obtain probable speech acts for sentences, which are aggregated for each conversation participant creating a set of speech act profiles. Three studies for validating the profiles are detailed as well as two studies showing speech act profiling's ability to uncover uncertainty related to deception.The methods introduced here are two content-independent methods that represent a possible new direction in text analysis. Both have possible applications outside the context of deception. In addition to aiding deception detection, these methods may also be applicable in information retrieval, technical support training, GSS facilitation support, transportation security, and information assurance