An Adversarial Dance: Toward an Understanding of Insiders’ Responses to Organizational Information Security Measures

2023 | Journal of the Association for Information Systems | Citations: 0

Authors: Balozian, Puzant; Burns, A.; Leidner, Dorothy

Abstract: Despite the increased focus on organizational security policies and programs, s ... Expand

Abstract: Despite the increased focus on organizational security policies and programs, some employees continue to engage in maladaptive responses to security measures (i.e., behaviors other than those recommended, intended, or prescribed). To help shed light on insiders' adaptive and maladaptive responses to IS security measures, we conducted a case study of an organization at the forefront of security policy initiatives. Drawing on the beliefs-actions-outcomes (BAO) model to analyze our case data, we uncover a potentially nonvirtuous cycle consisting of security-related beliefs, actions, and outcomes, which we refer to as an "adversarial dance." Explaining our results, we describe a novel belief framework that identifies four security belief profiles and uncovers an underexplored outcome of IS security: insiders' lived security experiences. We find that individuals' unfavorable lived security experiences produce counterproductive security-related beliefs that, in turn, lead to maladaptive behaviors. Maladaptive behaviors create new potential for security risk, leading to increased organizational security measures to counter them. Thus, the adversarial dance continues, as the new security measures have the potential to reinforce counterproductive security-related beliefs about the importance and risk of IS security and lead to new maladaptive behaviors. To help situate our findings within the current security literature, we integrate the results with prior research based on extant theories. While this paper is not the first to suggest that security measures can elicit maladaptive behaviors, the emergent belief framework and expanded BAO model of IS security constitute an important contribution to the behavioral IS security literature.Puzant Balozian is an assistant professor of computer information systems at James Madison University. His research focus is primarily on the impacts of organizational factors on individual user behaviors in the context of information security and privacy and addressing security policy compliance and violation. Collapse

Topics: IT security IT security defense productivity IT security threat anonymity

Methods: case study qualitative interview personal interview theory development survey

Theories: information systems theory neutralization theory behavioral theory

Towards a thematic dimensional framework of online fraud: An exploration of fraudulent email attack tactics and intentions

2023 | Decision Support Systems | Citations: 1

Authors: Bera, Debalina; Ogbanufe, Obi; Kim, Dan J.

Abstract: Despite anti-phishing filters, social engineering-based cyber-attacks still resu ... Expand

Abstract: Despite anti-phishing filters, social engineering-based cyber-attacks still result in billions of dollars lost annually, significant personal identity theft, loss of corporate secrets, and espionage. We review the phishing literature on psychological attacks and design tactics employed for deception by attackers. The result reveals the need to continuously identify tactics embedded in fraudulent email content to understand why users still fall prey to phishing attacks. Using the literature as a backdrop, we identify and conceptualize a thematic dimensional framework of fraudulent phishing attacks. This study uses benchmark datasets of fraudulent email to empirically validate the proposed dimensional framework. Specifically, a combination of machine learning-based content analysis and topic modeling found a majority of the discovered topics were labeled against the proposed di­ mensions. Statistical analysis was employed to provide empirical evidence of the thematic dimensions of fraudulent email attacks. This study thus, not only extends the cybersecurity literature by identifying and vali­ dating eight dimensions that enrich our understanding of phishing and attack identification but stimulates cu­ mulative research endeavors to develop yet more comprehensive dimensional frameworks of phishing email attacks. Collapse

Topics: phishing email phishing electronic mail email spam personalization

Methods: term frequency–inverse document frequency natural language processing topic model discriminant analysis literature study

What drives the purchase decision in Instagram stores?

2023 | European Conference On Information Systems | Citations: 0

Authors: Eggert, Mathias; Weber, Jannik

Abstract: The popularity of social media and particularly Instagram grows steadily. Peopl ... Expand

Abstract: The popularity of social media and particularly Instagram grows steadily. People use the different channels to share pictures and videos and to communicate with friends. The potential of social media platforms is also being used for marketing purposes and for selling products. While for Facebook and other online social media platforms the purchase decision factors are investigated several times, Instagram stores remain mainly unattended so far. The present research work closes this gap and sheds light into decisive factors for purchasing products offered in Instagram stores. A theoretical research model, which contains selected constructs that are assumed to have a significant influence on Instagram user´s purchase intention, is developed. The hypotheses are evaluated by applying structural equation modelling on survey data containing 127 relevant participants. The results of the study reveal that 'trust', 'personal recommendation', and 'usability' significantly influences user's buying intention in Instagram stores. Collapse

Topics: Instagram usability social media privacy IT security defense

Methods: structural equation modeling survey partial least squares regression computational algorithm literature study

Managing Organizational Cyber Security – The Distinct Role of Internalized Responsibility

2023 | HICSS | Citations: 0

Authors: Faltermaier, Stefan; Strunk, Kim; Obermeier, Michaela; Fiedler, Marina

Abstract: Desirable user behavior is key to cyber security in organizations. However, a co ... Expand

Abstract: Desirable user behavior is key to cyber security in organizations. However, a comprehensive overview on how to manage user behavior effectively, in order to support organizational cyber security, is missing. Building on extant research to identify central components of organizational cyber security management and on a qualitative analysis based on 20 semi-structured interviews with users and IT-Managers of a European university, we present an integrated model on this issue. We contribute to understanding the interrelations of namely user awareness, user IT-capabilities, organizational IT, user behavior, and especially internalized responsibility and relation to organizational cyber security. Collapse

Topics: IT security user behavior information technology capability IT security defense password

Methods: qualitative interview personal interview qualitative coding grounded theory case study

Continuous improvement of information security management: an organisational learning perspective

2023 | European Journal of Information Systems | Citations: 0

Authors: Ghahramani, Fereshteh; Yazdanmehr, Adel; Chen, Daniel; Wang, Jingguo

Abstract: This study explores ways to empower organisations to continuously improve their ... Expand

Abstract: This study explores ways to empower organisations to continuously improve their information security management (ISM). Drawing upon the dynamic capabilities approach, we investigated the mechanism wherein absorptive capacity has an effect. We found that absorptive capacity affects an organisation’s continuous improvement of ISM, with its effect mediated through an organisation’s adaptability to information security threats. In addition, the effect of absorptive capacity on adaptability is contingent upon the organisation’s competitive pressure, which enhances the mediating effect of adaptability. We tested our research model using survey data collected from 130 US-based managers familiar with information security management in their organisations. Theoretical and practical implications of the study are discussed. Collapse

Topics: data security information security management absorptive capacity IT security anonymity

Methods: survey statistical hypothesis test structural equation modeling conceptual modelling ordinary least square

Theories: dynamic capabilities theory

Is Social Learning Always Helpful? Using Quantile Regression to Examine the Impact of Social Learning on Information Security Policy Compliance Behavior.

2023 | HICSS | Citations: 0

Authors: Hengstler, Sebastian; Kuehnel, Stephan; Trang, Simon

Abstract: Social learning theory has attracted increasing attention in recent years in ter ... Expand

Abstract: Social learning theory has attracted increasing attention in recent years in terms of its use to study information security policy non-compliance behavior. But previous results of studies in the field of information security have been rather heterogeneous. various influencing factors have been considered within the framework of social learning theory. Previous studies quantitatively assess the effectiveness of social learning by relying on mean-based regression methods. In contrast, we intend to apply quantile regression to provide a new perspective on the subject. Therefore, we estimate the overall impact of social learning interventions and uncover how their impact differs among employees with different propensities (quantiles) for information security policy compliance behavior—an important finding for determining safety interventions for specific employee groups. Based on data collected in Germany, our results show significantly different effects in the analyzed quantile aspects of imitations and differential reinforcement. Collapse

Topics: data security IT security defense behavioral intention data quality information security policy compliance

Methods: survey linear regression analysis theory development experiment descriptive statistic

Risk Factors for Malicious Insider Threats – An Analysis of Attack Scenarios

2023 | Americas Conference on Information Systems | Citations: 0

Authors: Hofmeier, Manfred; Seidenfad, Karl; Rieb, Andreas; Lechner, Ulrike

Abstract: Regarding malicious (intentional) insider threats, the damage potential is part ... Expand

Abstract: Regarding malicious (intentional) insider threats, the damage potential is particularly high. There are many suggestions for prevention and defense, but there is a lack of reliable knowledge about which measures actually are effective in regard to this kind of attacks. Using the serious game "Operation Digital Butterfly", 40 roles and attack scenarios as well as possible countermeasures were collected in 10 game sessions with participants from research institutions, companies and public authorities. These are the starting point for an analysis of effective risk factors at the levels of technology, organization, people and infrastructure, which is presented in this paper. Collapse

Topics: insider threat IT security defense

Methods: qualitative content analysis qualitative coding qualitative interview

Unsupervised Threat Hunting using Continuous Bag of Terms and Time (CBoTT)

2023 | International Conference on Information Systems | Citations: 0

Authors: Kayhan, Varol; Shivendu, Shivendu; Behnia, Rouzbeh; Daniel, Clinton; Agrawal, Manish

Abstract: Threat hunting is sifting through system logs to detect malicious activities th ... Expand

Abstract: Threat hunting is sifting through system logs to detect malicious activities that might have bypassed existing security measures. It can be performed in several ways, one of which is based on detecting anomalies. We propose an unsupervised framework, called continuous bag-of-terms-and-time (CBoTT), and publish its application programming interface (API) to help researchers and cybersecurity analysts perform anomaly-based threat hunting among SIEM logs geared toward process auditing on endpoint devices. Analyses show that our framework consistently outperforms benchmark approaches. When logs are sorted by likelihood of being an anomaly (from most likely to least), our approach identifies anomalies at higher percentiles (between 1.82-6.46) while benchmark approaches identify the same anomalies at lower percentiles (between 3.25-80.92). This framework can be used by other researchers to conduct benchmark analyses and cybersecurity analysts to find anomalies in SIEM logs. Collapse

Topics: IT security application programming interface Hadoop Distributed File System website web analytics

Methods: natural language processing artificial neural network support vector machine term frequency–inverse document frequency DBSCAN

Examining the Relationship between National Cybersecurity Commitment, Culture, and Digital Payment Usage: An Institutional Trust Theory Perspective

2023 | Information Systems Frontiers | Citations: 1

Authors: Krishna, Ben; Krishnan, Satish; Sebastian, M. P.

Abstract: Cyberattacks can be considered one of the fundamental challenges that paralyze t ... Expand

Abstract: Cyberattacks can be considered one of the fundamental challenges that paralyze the progress of digital payment usage (DPU) progress among citizens, as consumers shun away from using digital banking services due to increased concern over information security. National Cybersecurity Commitment (NCSC) has emerged as a preventive cybersecurity mechanism for countries to tackle such cybersecurity threats. Previous studies have shown that a country's NCSC positively impacts the business and economy of the country. This study examines the effect of NCSC on digital payment usage (DPU) across nations by grounding our discussion on the institutional trust theory. As trusting belief in security measures is a culturally embedded characteristic, we also examine the moderating role of national culture through Hofstede’s cultural dimensions. We use multilevel models to analyze publicly available archives of repeated cross-sectional data covering 76 countries to test the proposed relationships. Our findings indicate that NCSC has a positive influence on DPU. Further, our results highlight that the relationship between NCSC and DPU in a country is contingent on cultural dimensions. Overall, the evidence suggests that a competent cybersecurity environment compatible with cultural values can influence the speedy diffusion of digital payments in a country. Implications of our findings for research and practice are also discussed. Collapse

Topics: IT security internet technology national culture electronic finance information system use

Methods: longitudinal research hierarchical linear modeling cross sectional research archival research time series analysis

Theories: trust theory cultural dimensions theory contingency theory theory of economic growth

Where is IT in Information Security? The Interrelationship among IT Investment, Security Awareness, and Data Breaches

2023 | Management Information Systems Quarterly | Citations: 1

Authors: Li, Wilson Weixun; Leung, Alvin; Yue, Wei

Abstract: Data breaches can severely damage a firm's reputation and its customers' confid ... Expand

Abstract: Data breaches can severely damage a firm's reputation and its customers' confidence. Firms must therefore continuously invest in security measures to prevent such breaches. However, the effectiveness of security investment has been questioned by both practitioners and academics. We illustrate the bidirectional dynamic relationship between information technology (IT) investment and data breaches moderated by threat and countermeasure security awareness using an eight-year panel of 311 U.S.-listed firms to provide empirical evidence that threat awareness broadens firms' scope for addressing databreach issues by investing more in IT than in security. Countermeasure awareness equips firms with sufficient knowledge and experience to ensure effective implementation of IT, which provides more comprehensive protection than security investment alone. Our results suggest that firms should evolve beyond the reactive mindset of solely upgrading security and begin nurturing both threat awareness and countermeasure awareness to address the underlying IT system issues that are the cause of data breaches. Collapse

Topics: IT investment data breach IT security defense data security IT security threat

Methods: longitudinal research robustness check autocorrelation analysis survey literature study

Theories: institutional theory protection motivation theory