Innovative Behavioral IS Security and Privacy Research

Permanent URI for this collection


Recent Submissions

Now showing 1 - 10 of 11
  • Item
    Traditional SETA No More: Investigating the Intersection Between Cybersecurity and Cognitive Neuroscience
    ( 2019-01-08) Zafar, Humayun ; Randolph, Adriane ; Gupta, Saurabh ; Hollingsworth, Carole
    We investigated the role automated behavior plays in contributing to security breaches. Using different forms of phishing, combined with multiple neurophysiological tools, we were able to more fully understand the approaches participants took when they engaged with a phishing campaign. The four participants of this pilot study ranged in their individual characteristics of gender and IT experience while controlling for age. It seems the biggest factor for awareness and successfully resisting a phishing campaign may be proximity of security training to engagement with that campaign. Neurophysiological tools helped illustrate the thought processes behind participants’ statements and actions; combined with consideration of individual characteristics, these tools help shed more light on human behavior. In the future, we plan to further enhance our testing environment by incorporating an emergent model that considers work task complexity and incorporate more industry participants with a range of IT experience.
  • Item
    Theory of Experiential Career Exploration Technology (TECET): Increasing cybersecurity career interest through playable case studies
    ( 2019-01-08) Giboney, Justin ; Hansen, Derek ; Mcdonald, Jason ; Jonathan, Balzotti, ; Tanner, Johnson ; Winters, Desiree ; Bonsignore, Elizabeth
    There is a large demand to fill cybersecurity jobs. To alleviate this need, it is important to generate interest in cybersecurity as a career. One way to do this is through job shadowing and internships. Using design science principles, we have built and tested a playable case study (PCS) where participants can act out a virtual internship and learn relevant cybersecurity skills. We ran a study with students in introductory university courses where they played through a simulated internship at a penetration testing company called CyberMatics. In the study we showed that a PCS format helps students 1) better understand what skills and traits are needed for, 2) more firmly decide whether to pursue, and 3) increase their confidence in their ability to succeed in a career in cybersecurity. Through this study we propose the Theory of Experiential Career Exploration Technology (TECET).
  • Item
    The Role of “Eyes of Others” in Security Violation Prevention: Measures and Constructs
    ( 2019-01-08) Farshadkhah, Sahar ; Stafford, Tom
    Security research recognizes the effect of “being seen” in reducing the likelihood of security violations in the workplace. This has typically been construed in the context of formal monitoring processes by employers, but there is an emerging notion that workers care about what their workplace colleagues think of them and their activities. We leverage this idea of the “Eyes of Others” in motivating pro-security behaviors to apply to security contexts. We find that, for a set of worker self-perceptions including Morality and Self-Consciousness, the likelihood of engaging in mundane workplace security violations is impacted by the knowledge that coworkers are watching. This has important implications for novel expansions of deterrence research in IS Security, going forward.
  • Item
    To Calculate or To Follow Others: How Do Information Security Managers Make Investment Decisions?
    ( 2019-01-08) Shao, Xiuyan ; Siponen, Mikko ; Pahnila, Seppo
    Economic models of information security investment suggest estimating cost and benefit to make an information security investment decision. However, the intangible nature of information security investment prevents managers from applying cost- benefit analysis in practice. Instead, information security managers may follow experts’ recommendations or the practices of other organizations. The present paper examines factors that influence information security managers’ investment decisions from the reputational herding perspective. The study was conducted using survey questionnaire data collected from 106 organizations in Finland. The findings of the study reveal that the ability and reputation of the security manager and the strength of the information about the security investment significantly motivate the security manager to discount his or her own information. Herding, as a following strategy, together with mandatory requirements are significant motivations for information security investment.
  • Item
    Protecting Privacy on Social Media: Is Consumer Privacy Self-Management Sufficient?
    ( 2019-01-08) Alsarkal, Yaqoub ; Zhang, Nan ; Xu, Heng
  • Item
    Impulsivity and Information Disclosure: Implications for Privacy Paradox
    ( 2019-01-08) Aivazpour, Zahra ; Rao, V. Srinivasan (Chino)
    Privacy paradox refers to the inconsistency that sometimes exists between individuals’ expressed privacy concern and the willingness to divulge personal information. Several arguments have been proposed to explain the inconsistency. One set of arguments centers around the effects of individual differences in personality characteristics, e.g., the Big Five. In the current article, we examine the role of a personality characteristic, impulsivity, in explaining the relationship between privacy concern and information disclosure. We report the results of a survey-based study that consisted of two hundred and forty-two (242) usable responses from subjects recruited on Amazon Mechanical Turk. The results show that one of the three dimensions of impulsivity, motor impulsivity, directly influences the extent of information disclosure, and, also moderates the relationship between privacy concern and information disclosure. Furthermore, our study shows impulsivity explains more variance in information disclosure than explained by the Big Five factors only.
  • Item
    How Privacy Concerns and Trust and Risk Beliefs Influence Users’ Intentions to Use Privacy-Enhancing Technologies - The Case of Tor
    ( 2019-01-08) Harborth, David ; Pape, Sebastian
    Due to an increasing collection of personal data by internet companies and several data breaches, research related to privacy gained importance in the last years in the information systems domain. Privacy concerns can strongly influence users’ decision to use a service. The Internet Users Information Privacy Concerns (IUIPC) construct is one operationalization to measure the impact of privacy concerns on the use of technologies. However, when applied to a privacy enhancing technology (PET) such as an anonymization service the original rationales do not hold anymore. In particular, an inverted impact of trusting and risk beliefs on behavioral intentions can be expected. We show that the IUIPC model needs to be adapted for the case of PETs. In addition, we extend the original causal model by including trust beliefs in the anonymization service itself. A survey among 124 users of the anonymization service Tor shows that they have a significant effect on the actual use behavior of the PET.
  • Item
    The Compromise of One’s Personal Information: Trait Affect as an Antecedent in Explaining the Behavior of Individuals
    ( 2019-01-08) Dupuis, Marc ; Crossler, Robert
    This research examined the role trait affect, a lifelong and generally stable type of affect, has on the information security behavior of individuals. We examined this in the context of how one responds to the threat of one’s personal information becoming compromised. This was done by extending Protection Motivation Theory (PMT) by incorporating the two higher order dimensions of affect, positive affect and negative affect, as antecedents to self-efficacy, perceived threat severity, and perceived threat vulnerability. A survey was used to explore this further. Seven of the 11 hypotheses were supported, including three of the six related to affect. This research makes two primary contributions. First, trait affect may play an indirect role in understanding how individuals evaluate, respond to, and cope with a threat. Second, this research extended the application of PMT, which has been the primary theory used to understand the information security behavior of individuals.
  • Item
    An Empirical Study of Home User Intentions towards Computer Security
    ( 2019-01-08) Mills, Annette ; Sahi, Natasha
    Home computer users are solely responsible for implementing security measures on their devices. Although most computers have security software installed, the potential remains for security breaches, which makes it important for home users to take additional steps, such as not sharing one’s password and using strong passwords, to secure their devices further. Drawing on protection motivation theory and findings from prior research, this study evaluates factors that influence individuals to implement additional security measures to protect their home computers. Using SmartPLS and responses from 72 home computer users, the results show that response efficacy, self-efficacy and subjective norms were significant in encouraging persons to implement additional security measures. Maladaptive rewards on the other hand acted as a significant detractor, while neither perceived vulnerability nor perceived severity was significant in relation to willingness to implement additional security measures.
  • Item
    Encouraging Password Manager Adoption by Meeting Adopter Self-Determination Needs
    ( 2019-01-08) Alkaldi, Nora ; Renaud, Karen
    Password managers are a potential solution to the password conundrum, but adoption is paltry. We investigated the impact of a recommender application that harnessed the tenets of self-determination theory to encourage adoption of password managers. This theory argues that meeting a person's autonomy, relatedness and competence needs will make them more likely to act. To test the power of meeting these needs, we conducted a factorial experiment, in the wild. We satisfied each of the three self determination factors, and all individual combinations thereof, and observed short-term adoption of password managers. The Android recommender application was used by 470 participants, who were randomly assigned to one of the experimental or control conditions. Our analysis revealed that when all self-determination factors were satisfied, adoption was highest, while meeting only the autonomy or relatedness needs individually significantly improved the likelihood of adoption.