| 1. |
- Rocha Flores, Waldo
(author)
-
Shaping information security behaviors related to social engineering attacks
- 2016
-
Doctoral thesis (other academic/artistic)abstract
- Today, few companies would manage to continuously stay competitive without the proper utilization of information technology (IT). This has increased companies’ dependency of IT and created new threats that need to be addressed to mitigate risks to daily business operations. A large extent of these IT-related threats includes hackers attempting to gain unauthorized access to internal computer networks by exploiting vulnerabilities in the behaviors of employees. A common way to exploit human vulnerabilities is to deceive and manipulate employees through the use of social engineering. Although researchers have attempted to understand social engineering, there is a lack of empirical research capturing multilevel factors explaining what drives employees’ existing behaviors and how these behaviors can be improved. This is addressed in this thesis.The contribution of this thesis includes (i) an instrument to measure security behaviors and its multilevel determinants, (ii) identification of multilevel variables that significantly influence employees’ intent for behavior change, (iii) identification of what behavioral governance factors that lay the foundation for behavior change, (iv) identification that national culture has a significant effect on how organizations cope with behavioral information security threats, and (v) a strategy to ensure adequate information security behaviors throughout an organization.This thesis is a composite thesis of eight papers. Paper 1 describes the instrument measuring multilevel determinants. Paper 2 and 3 describes how security knowledge is established in organizations, and the effect on employee information security awareness. In Paper 4 the root cause of employees’ intention to change their behaviors and resist social engineering is described. Paper 5 and 8 describes how the instrument to measure social engineering security behaviors was developed and validated through scenario-based surveys and phishing experiments. Paper 6 and 7 describes experiments performed to understand reason to why employees fall for social engineering. Finally, paper 2, 5 and 6 examines the moderating effect of national culture.
|
|
| 2. |
- Rocha Flores, Waldo, et al.
(author)
-
Information security knowledge sharing in organizations : Investigating the effect of behavioral information security governance and national culture
- 2014
-
In: Computers & security (Print). - : Elsevier. - 0167-4048 .- 1872-6208. ; 43, s. 90-110
-
Journal article (peer-reviewed)abstract
- This paper presents an empirical investigation on what behavioral information security governance factors drives the establishment of information security knowledge sharing in organizations. Data was collected from organizations located in different geographic regions of the world, and the amount of data collected from two countries – namely, USA and Sweden – allowed us to investigate if the effect of behavioral information security governance factors on the establishment of security knowledge sharing differs based on national culture.The study followed a mixed methods research design, wherein qualitative data was collected to both establish the study’s research model and develop a survey instrument that was distributed to 578 information security executives. The results suggest that processes to coordinate implemented security knowledge sharing mechanisms have a major direct influence on the establishment of security knowledge sharing in organizations; the effect of organizational structure (e.g., centralized security function to develop and deploy uniform firm-wide policies, and use of steering committees to facilitate information security planning) is slightly weaker, while business-based information security management has no significant direct effect on security knowledge sharing. A mediation analysis revealed that the reason for the non-significant direct relation between business-based information security management and security knowledge sharing is the fully mediating effect of coordinating information security processes. Thus, the results disentangles the interrelated influences of behavioral information security governance factors on security knowledge sharing by showing that information security governance sets the platform to establish security knowledge sharing, and coordinating processes realize the effect of both the structure of the information security function and the alignment of information security management with business needs.A multigroup analysis identified that national culture had a significant moderating effect on the association between four of the six proposed relations. In Sweden – which is seen as a less individualist, feminine country – managers tend to focus their efforts on implementing controls that are aligned with business activities and employees’ need; monitoring the effectiveness of the implemented controls, and assuring that the controls are not too obtrusive to the end user. On the contrary, US organizations establish security knowledge sharing in their organization through formal arrangements and structures. These results imply that Swedish managers perceive it to be important to involve, or at least know how their employees cope with the decisions that have been made, thus favoring local participation in information security management, while US managers may feel the need to have more central control when running their information security function.The findings suggest that national culture should be taken into consideration in future studies – in particular when investigating organizations operating in a global environment – and understand how it affects behaviors and decision-making.
|
|
| 3. |
- Johansson, Erik, et al.
(author)
-
Assessment of Enterprise Information Security : The Importance of Information Search Cost
- 2006
-
In: Proceedings of the Annual Hawaii International Conference on System Sciences. - 1530-1605. ; 9, s. 219a-
-
Journal article (peer-reviewed)abstract
- There are today several methods and standards available for assessment of the level of information security in an enterprise. A problem with these assessment methods is that they neither provide an indication of the amount of effort required to obtain the assessment nor an approximation of this measure's credibility. This paper describes a part of a new method for assessing the level of enterprise information security expresses the credibility of the results in terms of confidence levels and make use of an estimation of the cost of searching for security evidence. Such methods for predicting information search cost of assessments are detailed in the paper. Search cost predictions are used for providing guidance on how to minimize the effort spent on performing enterprise information security assessments. The conclusions are based on a security assessment performed at a large European energy company and a statistical survey among Swedish security experts.
|
|
| 4. |
- Rocha Flores, Waldo, et al.
(author)
-
Shaping intention to resist social engineering through transformational leadership, information security culture and awareness
- 2016
-
In: Computers & security (Print). - : Elsevier BV. - 0167-4048 .- 1872-6208. ; 59, s. 26-44
-
Journal article (peer-reviewed)abstract
- This paper empirically investigates how organizational and individual factors complement each other in shaping employees' intention to resist social engineering. The study followed a mixed methods research design, wherein qualitative data were collected to both establish the study's research model and develop a survey instrument that was distributed to 4296 organizational employees from a diverse set of organizations located in Sweden. The results showed that attitude toward resisting social engineering has the strongest direct association with intention to resist social engineering, while both self-efficacy and normative beliefs showed weak relationships with intention to resist social engineering. Furthermore, the results showed that transformational leadership was strongly associated with both perceived information security culture and information security awareness. Two mediation tests showed that attitude and normative beliefs partially mediate the effect of information security culture on employees' intention to resist social engineering. This suggests that both attitude and normative beliefs play important roles in governing the relationship between information security culture and intention to resist social engineering. A third mediation test revealed that information security culture fully explains the effect of transformational leadership on employees' attitude toward resisting social engineering. Discussion of the results and practical implications of the performed research are provided.
|
|
| 5. |
- Korman, Matus, 1985-, et al.
(author)
-
Overview of Enterprise Information Needs in Information Security Risk Assessment
- 2014
-
In: Proceedings of the 18th IEEE International EDOC Conference (EDOC 2014).
-
Conference paper (peer-reviewed)abstract
- Methods for risk assessment in information security suggest users to collect and consider sets of input information, often notably different, both in type and size. To explore these differences, this study compares twelve established methods on how their input suggestions map to the concepts of ArchiMate, a widely used modeling language for enterprise architecture. Hereby, the study also tests the extent, to which ArchiMate accommodates the information suggested by the methods (e.g., for the use of ArchiMate models as a source of information for risk assessment). Results of this study show how the methods differ in suggesting input information in quantity, as well as in the coverage of the ArchiMate structure. Although the translation between ArchiMate and the methods’ input suggestions is not perfect, our results indicate that ArchiMate is capable of modeling fair portions of the information needed for the methods for information security risk assessment, which makes ArchiMate models a promising source of guidance for performing risk assessments.
|
|
| 6. |
- Dán, György, et al.
(author)
-
Challenges in Power System Information Security
- 2012
-
In: IEEE Security and Privacy. - : IEEE Computer Society. - 1540-7993 .- 1558-4046. ; 10:4, s. 62-70
-
Journal article (peer-reviewed)abstract
- Achieving all-encompassing component-level security in power system IT infrastructures is difficult, owing to its cost and potential performance implications.
|
|
| 7. |
- Rocha Flores, Waldo, et al.
(author)
-
Exploring the link between behavioural information security governance and employee information security awareness
- 2015
-
In: <em>Proceedings of the 9th International Symposium on Human Aspects of Information Security & Assurance</em>.
-
Conference paper (peer-reviewed)abstract
- This paper explores the relation between a set of behavioural information security governancefactors and employees’ information security awareness. To enable statistical analysis betweenproposed relations, data was collected from two different samples in 24 organisations: 24information security executives and 240 employees. The results reveal that having a formalunit with explicit responsibility for information security, utilizing coordinating committees,and sharing security knowledge through an intranet site significantly correlates withdimensions of employees’ information security awareness. However, regular identification ofvulnerabilities in information systems and related processes is significantly negativelycorrelated with employees’ information security awareness, in particular managing passwords.The effect of behavioural information security governance on employee information securityawareness is an understudied topic. Therefore, this study is explorative in nature and theresults are preliminary. Nevertheless, the paper provides implications for both research andpractice.
|
|
| 8. |
- Rocha Flores, Waldo, et al.
(author)
-
Information Security Governance Analysis using Probabilistic Relational Models
- 2011
-
In: Proceedings of the 8th International Workshop on Security in Information Systems, WOSIS 2011, in Conjunction with ICEIS 2011. - 9789898425614 ; , s. 142-150
-
Conference paper (peer-reviewed)abstract
- This paper proposes the use of Probabilistic Relational Models (PRM) for analyzing dependencies between Information Security Governance (ISG) components and its impact on process capability of mitigating information security vulnerabilities. Using the PRM enables inference between different ISG components expressed in probabilities, and also inference on the process capability. A concrete PRM which exemplifies how to assess the capability of the access control process is further presented, and thus showing how the PRM can be adapted to fit the analysis of a specific process in an organizational environment.
|
|
| 9. |
- Johnson, Pontus, et al.
(author)
-
Quantitative Information Security Risk Estimation using Probabilistic Attack Graphs
- 2016
-
In: RISK: International Workshop on Risk Assessment and Risk-driven Testing. - Cham : Springer. - 9783319578576 ; , s. 37-52
-
Conference paper (peer-reviewed)abstract
- This paper proposes an approach, called pwnPr3d, for quantitatively estimating information security risk in ICT systems. Unlike many other risk analysis approaches that rely heavily on manual work and security expertise, this approach comes with built-in security risk analysis capabilities. pwnPr3d combines a network architecture modeling language and a probabilistic inference engine to automatically generate an attack graph, making it possible to identify threats along with the likelihood of these threats exploiting a vulnerability. After defining the value of information assets to their organization with regards to confidentiality, integrity and availability breaches, pwnPr3d allows users to automatically quantify information security risk over time, depending on the possible progression of the attacker. As a result, pwnPr3d provides stakeholders in organizations with a holistic approach that both allows high-level overview and technical details.
|
|
| 10. |
- Rocha Flores, Waldo, et al.
(author)
-
A Model for Investigating Organizational Impact on Information Security Behavior
- 2012
-
Conference paper (peer-reviewed)abstract
- The increased amount of attacks targeting humans accessing and using computers has made it significantly important to understand human and organizational behavior in attacks and how resilient behavior can be achieved. This paper presents a research model that attempts to understand how organizational and human factors complement each other in shaping information security behavior. The model was developed through an inductive approach, in which content domain experts were interviewed to gain a deeper understanding of the phenomena. Common patterns that were identified in the interviews were then combined with data collected through surveying the literature. Specifically, the research model includes constructs related to the organization and promotion of information security, constructs related to perceptions of information security awareness and the social conditions within an organizational setting, and individual constructs related to an individual’s perceptions of attitude, normative beliefs, and self-efficacy. Implications for continuing research and how the model will be tested empirically are discussed.
|
|
