| 1. |
- Rocha Flores, Waldo
(author)
-
Shaping information security behaviors related to social engineering attacks
- 2016
-
Doctoral thesis (other academic/artistic)abstract
- Today, few companies would manage to continuously stay competitive without the proper utilization of information technology (IT). This has increased companies’ dependency of IT and created new threats that need to be addressed to mitigate risks to daily business operations. A large extent of these IT-related threats includes hackers attempting to gain unauthorized access to internal computer networks by exploiting vulnerabilities in the behaviors of employees. A common way to exploit human vulnerabilities is to deceive and manipulate employees through the use of social engineering. Although researchers have attempted to understand social engineering, there is a lack of empirical research capturing multilevel factors explaining what drives employees’ existing behaviors and how these behaviors can be improved. This is addressed in this thesis.The contribution of this thesis includes (i) an instrument to measure security behaviors and its multilevel determinants, (ii) identification of multilevel variables that significantly influence employees’ intent for behavior change, (iii) identification of what behavioral governance factors that lay the foundation for behavior change, (iv) identification that national culture has a significant effect on how organizations cope with behavioral information security threats, and (v) a strategy to ensure adequate information security behaviors throughout an organization.This thesis is a composite thesis of eight papers. Paper 1 describes the instrument measuring multilevel determinants. Paper 2 and 3 describes how security knowledge is established in organizations, and the effect on employee information security awareness. In Paper 4 the root cause of employees’ intention to change their behaviors and resist social engineering is described. Paper 5 and 8 describes how the instrument to measure social engineering security behaviors was developed and validated through scenario-based surveys and phishing experiments. Paper 6 and 7 describes experiments performed to understand reason to why employees fall for social engineering. Finally, paper 2, 5 and 6 examines the moderating effect of national culture.
|
|
| 2. |
- Rocha Flores, Waldo, et al.
(author)
-
Information security knowledge sharing in organizations : Investigating the effect of behavioral information security governance and national culture
- 2014
-
In: Computers & security (Print). - : Elsevier. - 0167-4048 .- 1872-6208. ; 43, s. 90-110
-
Journal article (peer-reviewed)abstract
- This paper presents an empirical investigation on what behavioral information security governance factors drives the establishment of information security knowledge sharing in organizations. Data was collected from organizations located in different geographic regions of the world, and the amount of data collected from two countries – namely, USA and Sweden – allowed us to investigate if the effect of behavioral information security governance factors on the establishment of security knowledge sharing differs based on national culture.The study followed a mixed methods research design, wherein qualitative data was collected to both establish the study’s research model and develop a survey instrument that was distributed to 578 information security executives. The results suggest that processes to coordinate implemented security knowledge sharing mechanisms have a major direct influence on the establishment of security knowledge sharing in organizations; the effect of organizational structure (e.g., centralized security function to develop and deploy uniform firm-wide policies, and use of steering committees to facilitate information security planning) is slightly weaker, while business-based information security management has no significant direct effect on security knowledge sharing. A mediation analysis revealed that the reason for the non-significant direct relation between business-based information security management and security knowledge sharing is the fully mediating effect of coordinating information security processes. Thus, the results disentangles the interrelated influences of behavioral information security governance factors on security knowledge sharing by showing that information security governance sets the platform to establish security knowledge sharing, and coordinating processes realize the effect of both the structure of the information security function and the alignment of information security management with business needs.A multigroup analysis identified that national culture had a significant moderating effect on the association between four of the six proposed relations. In Sweden – which is seen as a less individualist, feminine country – managers tend to focus their efforts on implementing controls that are aligned with business activities and employees’ need; monitoring the effectiveness of the implemented controls, and assuring that the controls are not too obtrusive to the end user. On the contrary, US organizations establish security knowledge sharing in their organization through formal arrangements and structures. These results imply that Swedish managers perceive it to be important to involve, or at least know how their employees cope with the decisions that have been made, thus favoring local participation in information security management, while US managers may feel the need to have more central control when running their information security function.The findings suggest that national culture should be taken into consideration in future studies – in particular when investigating organizations operating in a global environment – and understand how it affects behaviors and decision-making.
|
|
| 3. |
- Johnson, Pontus, et al.
(author)
-
Assessment of Business Process Information Security
- 2007
-
In: International Journal of Business Process Integration and Management. - 1741-8763. ; 3:2, s. 118-130
-
Journal article (peer-reviewed)abstract
- Business processes are increasingly dependent on their supporting information systems. With this dependence comes an increased security risk with respect to the information flowing through the processes. This paper presents a method for assessment of the level of information security within business processes in the form of a percentage number, where a high score indicates good information security and a low score indicates a poor level of information security. The method also provides a numerical estimate of the credibility of the information security score, so that an assessment based on few and uncertain pieces of evidence is associated with low credibility and an assessment based on a large set of trustworthy evidence is associated with high credibility. A common problem with information security assessments is the cost related to collecting the required evidence. The paper proposes an evidence collection strategy designed to minimize the effort spent on gathering assessment data while maintaining the desired credibility of the results. A case study is presented, demonstrating the use of the method.
|
|
| 4. |
- Metalidou, Efthymia, et al.
(author)
-
The Human Factor of Information Security : Unintentional Damage Perspective
- 2014
-
In: Procedia - Social and Behavioral Sciences. - : Elsevier. ; , s. 424-428
-
Conference paper (peer-reviewed)abstract
- It is widely acknowledged that employees of an organization are often a weak link in the protection of its information assets. Information security has not been given enough attention in the literature in terms of the human factor effect; researchers have called for more examination in this area. Human factors play a significant role in computer security. In this paper, we focus on the relationship of the human factor on information security presenting the human weaknesses that may lead to unintentional harm to the organization and discuss how information security awareness can be a major tool in overcoming these weaknesses. A framework for a field research is also presented in order to identify the human factors and the major attacks that threat computer security.
|
|
| 5. |
|
|
| 6. |
- Rocha Flores, Waldo, et al.
(author)
-
Expert Opinions on Information Security Governance Factors : An Exploratory Study
- 2011
-
In: ECIS 2011 Proceedings.
-
Conference paper (peer-reviewed)abstract
- Information Security Governance (ISG) is an important discipline that addresses information security at a strategic level providing strategic direction, optimized use of information resources and proper security incident management. ISG and the impact of poor security incident management have attracted much attention in the literature but unfortunately there is little empirical evidence regarding the explicit link between ISG and its effectiveness in terms of reducing negative impacts on business objectives from security incidents. Consequently, little exploration of ISG factors and their impact on the above mentioned measure of effectiveness exists. Further, to direct endeavors the crucial question is if there exist any differences in how effective these factors are in attaining this target. Currently, there is a lack in research considering this question. The research presented in this article explores the ISG domain further by empirically examine 30 ISG factors and their ability of reducing negative impacts on business objectives from security incidents. Data has been collected by surveying ISG experts. Ten factors were identified to have significant different means in relation to other factors according to a one-way ANOVA analysis that was conducted. The results give an indication on what ISG factors that have an effect, providing both support for further academic research and also decision support for implementing ISG.
|
|
| 7. |
- Harnesk, Dan, et al.
(author)
-
Materializing organizational information security
- 2012
-
In: Nordic Contributions in IS Research. - Berlin, Heidelberg : Encyclopedia of Global Archaeology/Springer Verlag. - 9783642322693 - 9783642322709 ; , s. 76-94
-
Conference paper (peer-reviewed)abstract
- In the context of situated elderly care this paper discusses the intertwined relationship between organizational security objectives, technology, and employees' security behavior. We use findings from a single case study to aid in our understanding of how managers sought to create a secure work environment by introducing behavioral security technology, and how employees appreciated the new security software in everyday routines. Theoretically the case study is informed by sociomateriality in that it employs the notion of technological affordances of behavioral security technology. Findings show that security technology material is an integral part of security management and security in use, and that both the technical actor and human actors contributed to cultivation of the information security practice in the elderly care center
|
|
| 8. |
- Rocha Flores, Waldo, et al.
(author)
-
Shaping intention to resist social engineering through transformational leadership, information security culture and awareness
- 2016
-
In: Computers & security (Print). - : Elsevier BV. - 0167-4048 .- 1872-6208. ; 59, s. 26-44
-
Journal article (peer-reviewed)abstract
- This paper empirically investigates how organizational and individual factors complement each other in shaping employees' intention to resist social engineering. The study followed a mixed methods research design, wherein qualitative data were collected to both establish the study's research model and develop a survey instrument that was distributed to 4296 organizational employees from a diverse set of organizations located in Sweden. The results showed that attitude toward resisting social engineering has the strongest direct association with intention to resist social engineering, while both self-efficacy and normative beliefs showed weak relationships with intention to resist social engineering. Furthermore, the results showed that transformational leadership was strongly associated with both perceived information security culture and information security awareness. Two mediation tests showed that attitude and normative beliefs partially mediate the effect of information security culture on employees' intention to resist social engineering. This suggests that both attitude and normative beliefs play important roles in governing the relationship between information security culture and intention to resist social engineering. A third mediation test revealed that information security culture fully explains the effect of transformational leadership on employees' attitude toward resisting social engineering. Discussion of the results and practical implications of the performed research are provided.
|
|
| 9. |
- Korman, Matus, 1985-, et al.
(author)
-
Overview of Enterprise Information Needs in Information Security Risk Assessment
- 2014
-
In: Proceedings of the 18th IEEE International EDOC Conference (EDOC 2014).
-
Conference paper (peer-reviewed)abstract
- Methods for risk assessment in information security suggest users to collect and consider sets of input information, often notably different, both in type and size. To explore these differences, this study compares twelve established methods on how their input suggestions map to the concepts of ArchiMate, a widely used modeling language for enterprise architecture. Hereby, the study also tests the extent, to which ArchiMate accommodates the information suggested by the methods (e.g., for the use of ArchiMate models as a source of information for risk assessment). Results of this study show how the methods differ in suggesting input information in quantity, as well as in the coverage of the ArchiMate structure. Although the translation between ArchiMate and the methods’ input suggestions is not perfect, our results indicate that ArchiMate is capable of modeling fair portions of the information needed for the methods for information security risk assessment, which makes ArchiMate models a promising source of guidance for performing risk assessments.
|
|
| 10. |
- Rocha Flores, Waldo, et al.
(author)
-
The development of an instrument for assessing information security in organizations : Examining the content validity using quantitative methods
- 2013
-
In: CONF-IRM 2013 Proceedings.
-
Conference paper (peer-reviewed)abstract
- Content validity, the extent to which a measurement reflects the specific intended domain of content, is a basic type of validity for a valid measurement. It has usually been examined using qualitative methods and has not been given as much attention as the other psychometric properties such as internal consistency reliability, indicator reliability and construct validity in the IS field. In this paper, a quantitative approach including the proportion of substantive agreement (PSA), and substantive validity (CSV) was used to examine content validity for 80 items covering eighth domains related to organizational and individual perspectives of information security. The content validity for the organizational perspective was examined using data from a total of 56 content domain experts. Data from 51 experts were further used to examine content validity for the individual perspective of information security. 31 items did not have an adequate content validity, leaving the instrument with 49 items that have been evaluated for their content validity and can be used in future empirically tests of hypotheses in the information security field. To the knowledge of the authors this quantitative method to assess content validity of items in the process of developing instruments hasn’t yet been applied in the field information security.
|
|
