{"title":"Value conflicts and information security – a mixed-methods study in high-risk industry","authors":"Kristina Gyllensten, A. Pousette, Marianne Törner","doi":"10.1108/ics-09-2021-0139","DOIUrl":"https://doi.org/10.1108/ics-09-2021-0139","url":null,"abstract":"\u0000Purpose\u0000The purpose of this study is to investigate the influence of work-related value conflicts on information security in two organisations in nuclear power production and related industry.\u0000\u0000\u0000Design/methodology/approach\u0000A mixed-methods design was applied. Individual interviews were conducted with 24 employees of two organisations in Sweden and questionnaire data on information security climate were collected from 667 employees (62%) in the same two organisations.\u0000\u0000\u0000Findings\u0000The qualitative part of the study identified five different types of value conflicts influencing information security behaviour. The quantitative part of the study found that value conflicts relating to information security had a negative relationship with rule-compliant behaviour. The opposite was found for participative security behaviour where there was a positive relationship with value conflicts. A high climate of information security was positively related to both rule-compliant and participative information security behaviour. It also moderated the effect of value conflicts on compliant information security behaviour.\u0000\u0000\u0000Originality/value\u0000This paper highlights organisational contextual conditions that influence employees’ motivation and ability to manage value conflicts relating to information security in a high-risk industry. It also enables a better understanding of the influence of the information security climate on information security in the presence of value conflicts in this type of industry.\u0000","PeriodicalId":45298,"journal":{"name":"Information and Computer Security","volume":"39 1","pages":""},"PeriodicalIF":1.4,"publicationDate":"2021-12-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77532277","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Understanding social media users’ privacy-protection behaviors","authors":"L. Baker-Eveleth, Robert Stone, Daniel M. Eveleth","doi":"10.1108/ics-07-2021-0099","DOIUrl":"https://doi.org/10.1108/ics-07-2021-0099","url":null,"abstract":"\u0000Purpose\u0000This study aims to identify the roles that privacy experiences and social media use play in influencing privacy-protection behaviors. As social media use expands in terms of the number of users and functionality; it is important to understand social media user privacy-protection behaviors and the users’ psychological underpinnings driving those behaviors. Among these, perceptions are the users’ evaluation of their privacy concerns and data sharing benefits inherent in social media use which influence the users’ behaviors to protect their privacy.\u0000\u0000\u0000Design/methodology/approach\u0000To research these issues, a theoretical model and hypotheses were developed, based on self-efficacy theory. The theoretical model was empirically tested using 193 questionnaire responses collected from students enrolled in business courses at a medium-sized university in the western USA. All the respondents reported that they routinely use social media. The empirical analysis was performed using structural equations modeling in PC SAS version 9.4, procedure Calis.\u0000\u0000\u0000Findings\u0000The estimation of the paths in the structural model indicates that privacy concerns positively influence social media users’ protection behaviors while the perceived benefits of data sharing negatively influence protection behaviors. Privacy experience positively influences privacy concerns. Alternatively, social media use positively influences social media self-efficacy and perceived usefulness, which, in turn, have meaningful influences on data sharing benefits.\u0000\u0000\u0000Originality/value\u0000Previous findings about the effect of self-efficacy on protection behaviors has been inconclusive. This study adds some clarity. Specifically, the findings suggest that the effect depends upon the foci of self-efficacy. While higher self-efficacy with respect to using privacy-related features of a specific technology tends to lead to greater privacy concerns, higher self-efficacy with respect to the more general technology (e.g. social media, computer) seems to affect protection behaviors through perceived benefits. Further, the results of this study offer conclusions about the roles that privacy experiences, social media use and perceived social media benefits play in affecting protection behaviors.\u0000","PeriodicalId":45298,"journal":{"name":"Information and Computer Security","volume":"151 1","pages":""},"PeriodicalIF":1.4,"publicationDate":"2021-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"89002304","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Investigating the accessibility and impacts of cybersecurity programs on high-school girls’ long-term industry engagement","authors":"Mridula Shan, Jeong Yang","doi":"10.1108/ics-05-2021-0067","DOIUrl":"https://doi.org/10.1108/ics-05-2021-0067","url":null,"abstract":"\u0000Purpose\u0000The purpose of this study is to investigate whether having accessible cybersecurity programs (CPs) for high-school students affected girls’ long-term engagement with the industry, given that they already had interests in technology. Although much research has been done to evaluate how high-school science, technology, engineering, and mathematics programs retain girls in computing fields, it is necessary to see if this same long-term engagement exists in cybersecurity-specific programs.\u0000\u0000\u0000Design/methodology/approach\u0000In total, 55 members were surveyed from the aspirations in computing community regarding their experience in and accessibility to high-school CPs. A quantitative analysis of such responses was then undertaken using inferential statistical tools and chi-squared tests for independence.\u0000\u0000\u0000Findings\u0000The results showed that the existence of CPs alone are not influential factors in increasing long-term engagement with the field, showcasing that the high-knowledge barrier of CPs affects many students (even those with prior interests in technology). Instead, by having multiple occurrences of these programs and providing more cybersecurity resources to areas that lacked them, girls were more likely to report an increased interest in the field.\u0000\u0000\u0000Practical implications\u0000Such information can support future program leaders to develop effective, accessible and more targeted cybersecurity initiatives for students of various communities.\u0000\u0000\u0000Originality/value\u0000By analyzing the unique interactions of tech-aspiring women with cybersecurity, this exploration was able to demonstrate that women of different computing experiences face a shared barrier when entering the cybersecurity field. Likewise, in comparing these perspectives across different age groups, the investigation highlighted the development and subsequent growth of cybersecurity programming over the years and why such initiatives should be supported into the future.\u0000","PeriodicalId":45298,"journal":{"name":"Information and Computer Security","volume":"2016 1","pages":""},"PeriodicalIF":1.4,"publicationDate":"2021-10-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"89901797","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Cybersecurity Advocates: Discovering the Characteristics and Skills of an Emergent Role.","authors":"Julie M Haney, Wayne G Lutters","doi":"10.1108/ics-08-2020-0131","DOIUrl":"https://doi.org/10.1108/ics-08-2020-0131","url":null,"abstract":"<p><strong>Purpose: </strong>Cybersecurity advocates safeguard their organizations by promoting security best practices. However, little is known about what constitutes successful advocacy.</p><p><strong>Methodology: </strong>We conducted 28 in-depth interviews of cybersecurity advocates.</p><p><strong>Findings: </strong>Effective advocates not only possess technical acumen, but also interpersonal skills, communication acumen, context awareness, and a customer service orientation.</p><p><strong>Originality: </strong>We are the first to define and enumerate competencies for the role of cybersecurity advocate.</p><p><strong>Implications: </strong>Non-technical skills are deemphasized in cybersecurity training, limiting career progression into the cybersecurity advocate role for existing security professionals and those from other disciplines. We suggest improvements for professional development that encourage greater security workforce diversity.</p>","PeriodicalId":45298,"journal":{"name":"Information and Computer Security","volume":"29 3","pages":""},"PeriodicalIF":1.4,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8628570/pdf/nihms-1753036.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"39684282","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
H. Pham, L. Brennan, L. Parker, Nhat Tram Phan-Le, I. Ulhaq, M. Nkhoma, M. Nguyen
{"title":"Enhancing cyber security behavior: an internal social marketing approach","authors":"H. Pham, L. Brennan, L. Parker, Nhat Tram Phan-Le, I. Ulhaq, M. Nkhoma, M. Nguyen","doi":"10.1108/ics-01-2019-0023","DOIUrl":"https://doi.org/10.1108/ics-01-2019-0023","url":null,"abstract":"\u0000Purpose\u0000Understanding the behavioral change process of system users to adopt safe security practices is important to the success of an organization’s cybersecurity program. This study aims to explore how the 7Ps (product, price, promotion, place, physical evidence, process and people) marketing mix, as part of an internal social marketing approach, can be used to gain an understanding of employees’ interactions within an organization’s cybersecurity environment. This understanding could inform the design of servicescapes and behavioral infrastructure to promote and maintain cybersecurity compliance.\u0000\u0000\u0000Design/methodology/approach\u0000This study adopted an inductive qualitative approach using in-depth interviews with employees in several Vietnamese organizations. Discussions were centered on employee experiences and their perceptions of cybersecurity initiatives, as well as the impact of initiatives on compliance behavior. Responses were then categorized under the 7Ps marketing mix framework.\u0000\u0000\u0000Findings\u0000The study shows that assessing a cybersecurity program using the 7P mix enables the systematic capture of users’ security compliance and acceptance of IT systems. Additionally, understanding the interactions between system elements permits the design of behavioral infrastructure to enhance security efforts. Results also show that user engagement is essential in developing secure systems. User engagement requires developing shared objectives, localized communications, co-designing of efficient processes and understanding the “pain points” of security compliance. The knowledge developed from this research provides a framework for those managing cybersecurity systems and enables the design human-centered systems conducive to compliance.\u0000\u0000\u0000Originality/value\u0000The study is one of the first to use a cross-disciplinary social marketing approach to examine how employees experience and comply with security initiatives. Previous studies have mostly focused on determinants of compliance behavior without providing a clear platform for management action. Internal social marketing using 7Ps provides a simple but innovative approach to reexamine existing compliance approaches. Findings from the study could leverage proven successful marketing techniques to promote security compliance.\u0000","PeriodicalId":45298,"journal":{"name":"Information and Computer Security","volume":"4 1","pages":""},"PeriodicalIF":1.4,"publicationDate":"2019-10-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81208832","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Using stage theorizing to make anti-phishing recommendations more effective","authors":"Alain Claude Tambe Ebot","doi":"10.1108/ics-06-2017-0040","DOIUrl":"https://doi.org/10.1108/ics-06-2017-0040","url":null,"abstract":"\u0000Purpose\u0000This paper aims to review the behavioral phishing literature to understand why anti-phishing recommendations are not very effective and to propose ways of making the recommendations more effective. The paper also examines how the concept of stages from health communication and psychology can be used to make recommendations against phishing more effective.\u0000\u0000\u0000Design/methodology/approach\u0000This literature review study focused on the behavioral phishing literature that has relied on human subjects. Studies were excluded for reasons that included lacking practical recommendations and human subjects.\u0000\u0000\u0000Findings\u0000The study finds that phishing research does not consider where victims are residing in qualitatively different stages. Consequently, the recommendations do not often match the specific needs of different victims. This study proposes a prototype for developing stage theories of phishing victims and identifies three stages of phishing victims from analyzing the previous phishing research.\u0000\u0000\u0000Research limitations/implications\u0000This study relied on published research on phishing victims. Future research can overcome this problem by interviewing phishing victims. Further, the authors’ recommendation that phishing researchers categorize phishing victims into stages and develop targeted messages is not based on direct empirical evidence. Nonetheless, evidence from cancer research and health psychology suggests that targeted messaging is efficacious and cost-effective. Thus, the impact of targeted messaging in phishing could be quite large.\u0000\u0000\u0000Practical implications\u0000The study recommends categorizing individuals into stages, based on their security knowledge and online behaviors, and other similar characteristics they may possess. A stage approach will consider that individuals who at one time clicked on a phishing link because they lacked the requisite security knowledge, after receiving security training, may click on a link because they are overconfident.\u0000\u0000\u0000Originality/value\u0000The paper explains why proposing anti-phishing recommendations, based on a “one-size fits all” approach has not been very effective (e.g. because it simplifies why people engage in different behaviors). The proposals introduce a new approach to designing and deploying anti-phishing recommendations based on the concept of stages.\u0000","PeriodicalId":45298,"journal":{"name":"Information and Computer Security","volume":"69 1","pages":""},"PeriodicalIF":1.4,"publicationDate":"2018-10-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78212561","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"A framework to assist email users in the identification of phishing attacks","authors":"A. Lötter, L. Futcher","doi":"10.1108/ICS-10-2014-0070","DOIUrl":"https://doi.org/10.1108/ICS-10-2014-0070","url":null,"abstract":"Purpose – The purpose of this paper is to propose a framework to address the problem that email users are not well-informed or assisted by their email clients in identifying possible phishing attacks, thereby putting their personal information at risk. This paper therefore addresses the human weakness (i.e. the user’s lack of knowledge of phishing attacks which causes them to fall victim to such attacks) as well as the software related issue of email clients not visually assisting and guiding the users through the user interface. Design/methodology/approach – A literature study was conducted in the main field of information security with a specific focus on understanding phishing attacks and a modelling technique was used to represent the proposed framework. This paper argues that the framework can be suitably implemented for email clients to raise awareness about phishing attacks. To validate the framework as a plausible mechanism, it was reviewed by a focus group within the School of Information and Com...","PeriodicalId":45298,"journal":{"name":"Information and Computer Security","volume":"16 1","pages":"42-52"},"PeriodicalIF":1.4,"publicationDate":"2015-10-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76803239","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Matina Tsavli, P. Efraimidis, Vasilios Katos, L. Mitrou
{"title":"Reengineering the user: privacy concerns about personal data on smartphones","authors":"Matina Tsavli, P. Efraimidis, Vasilios Katos, L. Mitrou","doi":"10.1108/ICS-10-2014-0071","DOIUrl":"https://doi.org/10.1108/ICS-10-2014-0071","url":null,"abstract":"Purpose – This paper aims to discuss the privacy and security concerns that have risen from the permissions model in the Android operating system, along with two shortcomings that have not been adequately addressed. Design/methodology/approach – The impact of the applications’ evolutionary increment of permission requests from both the user’s and the developer’s point of view is studied, and finally, a series of remedies against the erosion of users’ privacy is proposed. Findings – The results of this work indicate that, even though providing access to personal data of smartphone users is by definition neither problematic nor unlawful, today’s smartphone operating systems do not provide an adequate level of protection for the user’s personal data. However, there are several ideas that can significantly improve the situation and mitigate privacy concerns of users of smart devices. Research limitations/implications – The proposed approach was evaluated through an examination of the Android’s permission mode...","PeriodicalId":45298,"journal":{"name":"Information and Computer Security","volume":"21 1","pages":"80-89"},"PeriodicalIF":1.4,"publicationDate":"2015-10-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81737075","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}