Decide wisely: Interactive videos as appealing educational element to attract students to information security

2023 | International Conference on Business Informatics | Citations: 0

Authors: Brehmer, Martin

Abstract: Educational videos play an important role in university education. However, the ... Expand

Abstract: Educational videos play an important role in university education. However, they are often not designed to foster active learning and the learning process is not immersive. Interactive digital storytelling is a promising game design element but requires a rigorous evaluation to avoid negative side effects. Therefore, we adopt a design science research approach to design and evaluate an interactive video that includes interactive storytelling and real-world recordings. The proposed artifact aims to raise information security awareness among bachelor students at a German university for malicious USB sticks and the reporting of incidents. In our evaluation, we focus on learning progress before and after using the video as well as qualitative feedback about the experience with the learning object. Our results show that videos that are based on interactive choice-based storytelling can foster an active and immersive process, and significant learning outcomes. Collapse

Topics: IT security training data security anonymity cybersecurity awareness user experience

Methods: parametric test Student's t-test survey design science descriptive statistic

Managing Organizational Cyber Security – The Distinct Role of Internalized Responsibility

2023 | HICSS | Citations: 0

Authors: Faltermaier, Stefan; Strunk, Kim; Obermeier, Michaela; Fiedler, Marina

Abstract: Desirable user behavior is key to cyber security in organizations. However, a co ... Expand

Abstract: Desirable user behavior is key to cyber security in organizations. However, a comprehensive overview on how to manage user behavior effectively, in order to support organizational cyber security, is missing. Building on extant research to identify central components of organizational cyber security management and on a qualitative analysis based on 20 semi-structured interviews with users and IT-Managers of a European university, we present an integrated model on this issue. We contribute to understanding the interrelations of namely user awareness, user IT-capabilities, organizational IT, user behavior, and especially internalized responsibility and relation to organizational cyber security. Collapse

Topics: IT security user behavior information technology capability IT security defense password

Methods: qualitative interview personal interview qualitative coding grounded theory case study

A Taxonomy of SETA Methods and Linkage to Delivery Preferences

2023 | ACM SIGMIS Database | Citations: 0

Authors: Kävrestad, Joakim; Nohlberg, Marcus; Furnell, Steven

Abstract: Cybersecurity threats targeting users are common in today's information systems. ... Expand

Abstract: Cybersecurity threats targeting users are common in today's information systems. Threat actors exploit human behavior to gain unauthorized access to systems and data. The common suggestion for addressing this problem is to train users to behave better using SETA programs. The notion of training users is old, and several SETA methods are described in scientific literature. Yet, incidents stemming from insecure user behavior continue to happen and are reported as one of the most common types of incidents. Researchers argue that empirically proven SETA programs are needed and point out focus on knowledge rather than behavior, along with poor user adoption, as problems with existing programs. The present study aims to research user preferences regarding SETA methods, with the motivation that a user is more likely to adopt a program perceived positively. A qualitative approach is used to identify existing SETA methods, and a quantitative approach is used to measure user preferences regarding SETA delivery. We show that users prefer SETA methods to be effortless and flexible and outline how existing methods meet that preference. The results outline how SETA methods respond to user preferences and how different SETA methods can be implemented to maximize user perception, thereby supporting user adoption. Collapse

Topics: IT workforce IT security online learning system database system usage intention

Methods: survey literature sample simulation structured literature research literature study

Theories: technology acceptance model

Do SETA Interventions Change Security Behavior? – A Literature Review

2023 | HICSS | Citations: 0

Authors: Nwachukwu, Uchechukwu; Vidgren, Jiri; Niemimaa, Marko; Järveläinen, Jonna

Abstract: Information security education, training, and awareness (SETA) are approaches to ... Expand

Abstract: Information security education, training, and awareness (SETA) are approaches to changing end-users’ security behavior. Research into SETA has conducted interventions to study the effects of SETA on security behavior. However, we lack aggregated knowledge on ‘how do SETA interventions influence security behavior?’. This study reviews 21 empirical SETA intervention studies published across the top IS journals. The theoretical findings show that the research has extended Protection Motivation Theory by (1) enhancements to fear appeals; (2) drawing attention to relevance; (3) incorporating temporality; (4) and shifting from intentions to behavior. In terms of behavior, the SETA interventions have targeted (1) information security policy compliance behavior; and (2) information protection behavior. We argue that while these studies have provided insights into security intentions and behavior, knowledge on designing effective SETA training has remained primarily anecdotal. We contribute (1) by pointing out gaps in the knowledge; and (2) by proposing tentative design recommendations. Collapse

Topics: data protection self efficacy web application security policy user behavior

Methods: literature study experiment literature sample design science structured literature research

Theories: protection motivation theory

Bridging the Gap between Security Competencies and Security Threats: Toward a Cyber Security Domain Model

2023 | HICSS | Citations: 0

Authors: Schütz, Florian; Rampold, Florian; Masuch, Kristin; Köpfer, Patricia; Mann, Dominik; Warwas, Julia; Trang, Simon

Abstract: Security incidents are increasing in a wide range of organizational types and si ... Expand

Abstract: Security incidents are increasing in a wide range of organizational types and sizes worldwide. Although various threat models already exist to classify security threats, they seem to take insufficient account of which organizational assets the threat events are targeting. Therefore, we argue that conducting more job-specific IT security training is necessary to ensure organizational IT security. This requires considering which assets employees use in their daily work and for which threat events employees need to build up IT security competencies. Subsequently, we build a framework-based Cyber Security Domain Model (CSDM) for IT-secure behavior. We follow the Evidence Centered Assessment Design (ECD) to provide a deep- dive analysis of the domain for IT-secure behavior. As the leading result relevant for research and practice, we present our CSDM consisting of 1,087 cyber threat vectors and apply it to five job specifications. Collapse

Topics: data security IT security IT security training phishing IT security defense

Methods: literature study survey design process

Security is Local: The Influence of the Immediate Workgroup on Information Security

2023 | Journal of the Association for Information Systems | Citations: 0

Authors: Wang, Dawei; Durcikova, Alexandra; Dennis, Alan

Abstract: Information security is a multilevel phenomenon with employee security decision ... Expand

Abstract: Information security is a multilevel phenomenon with employee security decisions being influenced by macrolevel factors (e.g., organizational policies), mesolevel factors (e.g., one's immediate workgroup-IW), and microlevel factors (e.g., individual personalities). We argue that an employee's local IW (i.e., immediate supervisor and coworkers) has a strong effect on security. This paper focuses on the effects of these mesolevel factors in the presence of macro-and microlevel factors. Drawing on the social structure and social learning framework as well as workgroup research, we hypothesize that the security behavior of an employee's IW supervisor and coworkers moderated by the nature of these relationships influences information security decisions. Our research, based on a sample of 217 full-time employees, reveals that the IW significantly affects security decisions, over and above the micro-and macrolevel factors. These effects are moderated by the nature of the relationship between employees and their IW supervisor (leader-member exchange) and coworkers (team-member exchange). A post hoc analysis shows that the mesolevel factors alone had the same explanatory power as the micro-and macrolevels combined. Our research suggests that future theory and research should include the IW and that organizations should share security responsibilities with line managers and help them understand their substantial impact on information security. Security training programs should ask employees about the behaviors of their IW supervisor and coworkers and, where needed, deliver anti-neutralization training to mitigate the effects of the IW's noncompliance behaviors.Alexandra Durcikova is an associate professor of MIS at the Price College of Business, University of Oklahoma. Her research focuses on knowledge management, knowledge repositories, and human compliance with security policy and characteristics of successful phishing attempts within the area of computer security, and health information systems. Collapse

Topics: data security IT security threat IT security password self efficacy

Methods: survey theory development descriptive statistic data transformation factor analysis

Theories: big five model social learning theory leader–member exchange theory

Phishing Susceptibility in Context: A Multilevel Information Processing Perspective on Deception Detection

2023 | Management Information Systems Quarterly | Citations: 0

Authors: Wright, Ryan; Johnson, Steven; Kitchens, Brent

Abstract: Despite widespread awareness of risks, significant investments in cybersecurity ... Expand

Abstract: Despite widespread awareness of risks, significant investments in cybersecurity protection, and substantial economic incentives to avoid security breaches, organizations remain vulnerable to phishing attacks. Phishing research has informed effective practical interventions to address phishing susceptibility that emphasize the importance of broadly applicable IT security knowledge. Yet employees still frequently fall victim to phishing attempts. To help understand why, we conceptualize phishing susceptibility as the failure to differentiate between deceptive and legitimate information processing requests that occur within the context of an employee's typical job responsibilities. We apply this contextual lens to identify characteristics of knowledge workers' organizational task and social context that may enhance or diminish performance in detecting deception in phishing email attempts. To test our hypotheses, we conducted a study in which employees of the finance division of a large university encountered simulated email-based phishing attempts as part of their normal work routine. We found evidence supporting our hypotheses that an individual's susceptibility to phishing attacks is influenced by their position in the knowledge flows of the organization and by the impact of workgroup responsibilities on their cognitive processing. We contend that phishing susceptibility is not merely a matter of IT security knowledge but is also influenced by contextualized, multilevel influences on information processing. As phishing attacks are increasingly targeted to specific organizational settings, it is even more important to incorporate this contextualized information processing view of phishing susceptibility. Collapse

Topics: phishing electronic mail system support IT security email phishing

Methods: theory development literature study simulation logistic regression survey

Toward an Effective SETA Program: An Action Research Approach

2023 | HICSS | Citations: 0

Authors: Zafar, Humayun; Williams, Jason; Gupta, Saurabh

Abstract: This study uses action research methods at a large US healthcare facility to cre ... Expand

Abstract: This study uses action research methods at a large US healthcare facility to create a security education training and awareness (SETA) program that is focused on three threats: phishing, unauthorized use of cloud services, and password sharing. The SETA training was based on self-regulation theory. Findings indicate that the training was effective at helping users to identify and avoid all three threats to the environment. Future research directions based on this study are also discussed. Collapse

Topics: phishing password cloud computing data security security policy

Methods: action research experimental group qualitative interview experimental design chi squared test

Theories: social cognitive theory

Introduction to the Minitrack on Organizational Cybersecurity: Advanced Cyber Defense, Cyber Analytics, and Security Operations

2023 | HICSS | Citations: 0

Authors: Steiner, Stuart; Plachkinova, Miloslava; Conte De Leon, Daniel; Shepherd, Morgan

Abstract: Cybersecurity touches all aspects of organizational management, with organizati ... Expand

Abstract: Cybersecurity touches all aspects of organizational management, with organizational systems, networks, and critical infrastructures increasingly targeted by determined malicious actors with advanced skills and resources. Such attacks have the potential for major disruption of our society including damage to assets, people, and the environment. Organizations, of all sizes and at all levels, are faced with the challenge of continuously, effectively, and efficiently protecting their systems while enabling and ensuring their mission. Organizational cybersecurity aims to advance knowledge on the theory and practice of cybersecurity management. Collapse

Topics: IT security decision making IT manager information technology capability IT security training

Methods: natural language processing personal interview case study qualitative content analysis

The Role of Heuristics in Information Security Decision Making

2022 | HICSS | Citations: 1

Authors: Fard Bahreini, Amir; Cenfetelli, Ron; Cavusoglu, Hasan

Abstract: Inadvertent human errors (e.g., clicking on phishing emails or falling for a spo ... Expand

Abstract: Inadvertent human errors (e.g., clicking on phishing emails or falling for a spoofed website) have been the primary cause of security breaches in recent years. To understand the root cause of these errors and examine practical solutions for users to overcome them, we applied the theory of bounded rationality and explored the role of heuristics (i.e., short mental processes) in security decision making. Interviews with 27 participants revealed that users rely on various heuristics to simplify their decision making in the information security context. Specifically, users rely on experts’ comments (i.e., expertise heuristic), information at hand, such as recent events (i.e., availability heuristic), and security-representative visual cues (i.e., representativeness heuristic). Findings also showed the use of other heuristics, including affect, brand, and anchoring, to a lesser degree. The results have practical and theoretical significance. In particular, they extend the literature by integrating bounded rationality concepts and elaborating “how” users simplify their security decision making by relying on cognitive heuristics. Collapse

Topics: decision making data security password privacy website design

Methods: qualitative interview card sorting literature study triangulation post-hoc analysis

Theories: theory of bounded rationality behavioral economics