Information Security and Privacy

Permanent URI for this collection

Browse

Recent Submissions

Now showing 1 - 9 of 9
  • Item
    Should You Disclose a Data Breach via Social Media? Evidence from US Listed Companies
    (2018-01-03) Rosati, Pierangelo; Deeney, Peter; Cummins, Mark; van der Werff, Lisa; Lynn, Theo
    Data breaches represent one of the main concerns for executives across all sectors. Data breaches open a period of crisis for the affected firm and require them to disclose complex information to a variety of stakeholders in a timely and proper manner. This paper investigates the relationship between social media disclosure of a data breach and its cost, as proxied by the response of the affected firm’s stock price. Using an event study methodology on a sample of 32 data breaches from 29 US publicly-traded firms from 2011 to 2014, we find that social media disclosure exacerbates the negative stock price’ s response to the announcement. However, such a negative association is contingent on firm’s visibility on traditional media with social media disclosure having a beneficial effect for low-visibility companies.
  • Item
    Future Prospects of Cyber Security in Manufacturing: Findings from a Delphi Study
    (2018-01-03) Kannus, Katariina; Ilvonen, Ilona
    Cyber security professionals need to make decisions in a constantly changing threat landscape, with a plethora of known threats that need reacting to in addition to the less well-known future threats. The objective of this paper is to provide insight in the cyber security landscape of manufacturing in 2021, and thus help decision making in the area. The Delphi study found out that internet of things, digitalization, industry 4.0, and the security of the industrial automation would be the most important drivers for the cyber security of manufacturing industry in 2021. The paper presents several important themes to be considered by security professionals.
  • Item
    Crowdsourcing Privacy Design Critique: An Empirical Evaluation of Framing Effects
    (2018-01-03) Ayalon, Oshrat; Toch, Eran
    When designed incorrectly, information systems can thwart people’s expectations of privacy. An emerging technique for evaluating systems during the development stage is the crowdsourcing design critique, in which design evaluations are sourced using crowdsourcing platforms. However, we know that information framing has a serious effect on decision-making and can steer design critiques in one way or another. We investigate how the framing of design cases can influence the outcomes of privacy design critiques. Specifically, we test whether -˜Personas’, a central User-Centered Design tool for describing users, can inspire empathy in users while criticizing privacy designs. In an experiment on Amazon Mechanical Turk workers (n=456), we show that describing design cases by using personas causes intrusive designs to be criticized more harshly. We discuss how our results can be used to enhance privacy-by-design processes and encourage user-centered privacy engineering.
  • Item
    Host Inventory Controls and Systems Survey: Evaluating the CIS Critical Security Control One in Higher Education Networks
    (2018-01-03) Kobezak, Philip; Marchany, Randy; Raymond, David; Tront, Joseph
    Within the field of information security, the identification of what we are trying to secure is essential to reducing risk. In private networks, this means understanding the classification of host end-points, identifying responsible users, and knowing the location of hosts. For the context of this paper, the authors are considering the challenges faced by higher education institutions in implementing the first Center for Internet Security (CIS) Critical Security Control: inventory of authorized and unauthorized devices. The authors developed and conducted a survey of chief information security officers at these institutions. The survey evaluated their confidence in meeting the goals of host inventory tracking. The results of the survey, along with analysis of the implications for information security operations, are presented in this paper. Changes in technology, such as BYOD, IoT, wireless, virtual machines, and application containers, are contributing to changes in the effectiveness of host inventory controls.
  • Item
    Web Tracking - A Literature Review on the State of Research
    (2018-01-03) Ermakova, Tatiana; Fabian, Benjamin; Bender, Benedict; Klimek, Kerstin
    Web tracking seems to become ubiquitous in online business and leads to increased privacy concerns of users. This paper provides an overview over the current state of the art of web-tracking research, aiming to reveal the relevance and methodologies of this research area and creates a foundation for future work. In particular, this study addresses the following research questions: What methods are followed? What results have been achieved so far? What are potential future research areas? For these goals, a structured literature review based upon an established methodological framework is conducted. The identified articles are investigated with respect to the applied research methodologies and the aspects of web tracking they emphasize.
  • Item
    Internalization of Information Security Policy and Information Security Practice: A Comparison with Compliance
    (2018-01-03) Park, Minjung; Chai, Sangmi
    Most recent information security incidents have been caused by employees’ poor managements rather than technology defects. Accordingly, organizations try to improve their information security by demanding that employees conform to information security policies. Previous studies examined the effect of organization’s enforcement-based systems, using penalties and rewards, on employees’ comply with information security policies. It found there is a lack of autonomy and sustainability if conformity depended on external environmental factors. To confirm, following social influence theory, that employees’ information security practices can be better performed if they go beyond compliance and are internalized, we developed an instrument that measures employees’ attitudes on information security policies and conducted a pilot test. The results show that information security practices are performed better by the higher internalization group than by the compliance group, proving the greater effectiveness of internalization in improving both employees’ and organizations’ information security.
  • Item
    A Policy Framework for Subject-Driven Data Sharing
    (2018-01-03) Chowdhury, Mohammad Jabed Morshed; Colman, Alan; Han, Jun; Kabir, Muhammad Ashad
    Organizations (e.g., hospitals, university etc.) are custodians of data on their clients and use this information to improve their service. Personal data of an individual therefore ends up hosted under the administration of different data custodians. Individuals (data subjects) may want to share their data with others for various reasons. However, existing data sharing mechanisms provided by the data custodians do not provide individuals enough flexibility to share their data, especially in a cross-domain (data custodian) environment. In this paper, we propose a data sharing policy language and related framework for a data subject to capture their fine-grained data sharing requirements. This proposed language allows the data subject to define data sharing policies that consider context conditions, privacy obligations and re-sharing restrictions. Furthermore, we have implemented a prototype to demonstrate how data subjects can define their data sharing policies and how the policies can be used and enforced at runtime.
  • Item
    Information Security Awareness: Literature Review and Integrative Framework
    (2018-01-03) Jaeger, Lennart
    Individuals’ information security awareness (ISA) plays a critical role in determining their security-related behavior in both organizational and private contexts. Understanding this relationship has important implications for individuals and organizations alike who continuously struggle to protect their information security. Despite much research on ISA, there is a lack of an overarching picture of the concept of ISA and its relationship with other constructs. By reviewing 40 studies, this study synthesizes the relationship between ISA and its antecedents and consequences. In particular, we (1) examine definitions of ISA; (2) categorize antecedents of ISA according to their level of origin; and (3) identify consequences of ISA in terms of changes in beliefs, attitudes, intentions, and actual security-related behaviors. A framework illustrating the relationships between the constructs is provided and areas for future research are identified.
  • Item
    Introduction to the Minitrack on Information Security and Privacy
    (2018-01-03) Bui, Tung; Clemons, Eric; Streff, Kevin