Search results

When security managers choose to deploy a smart lock activation system, the number of units needed and their location needs to be established. This study aims to present the results of a penetration test involving smart locks in the context of building security. The authors investigated how the amount of effort an employee has to invest in complying with a security policy (i.e. walk from the office to the smart key activator) influences vulnerability. In particular, the attractiveness of a no-effort alternative (i.e. someone else walking from your office to the key activators to perform a task on your behalf) was evaluated. The contribution of this study relates to showing how experimental psychology can be used to determine the cost-benefit analysis (CBA) of physical building security measures.

Twenty-seven different “offenders” visited the offices of 116 employees. Using a script, each offender introduced a problem, provided a solution and asked the employee to hand over their office key.

A total of 58.6 per cent of the employees handed over their keys to a stranger; no difference was found between female and male employees. The likelihood of handing over the keys for employees close to a key activator was similar to that of those who were further away.

The results suggest that installing additional key activators is not conducive to reducing the building’s security vulnerability associated with the handing over of keys to strangers.

No research seems to have investigated the distribution of smart key activators in the context of a physical penetration test. This research highlights the need to raise awareness of social engineering and of the vulnerabilities introduced via smart locks (and other smart systems).

The purpose of this study is to explore how the opening phrase of a phishing email influences the action taken by the recipient.

Two types of phishing emails were sent to 593 employees, who were asked to provide personally identifiable information (PII). A personalised spear phishing email opening was randomly used in half of the emails.

Nineteen per cent of the employees provided their PII in a general phishing email, compared to 29 per cent in the spear phishing condition. Employees having a high power distance cultural background were more likely to provide their PII, compared to those with a low one. There was no effect of age on providing the PII requested when the recipient’s years of service within the organisation is taken into account.

This research shows that success is higher when the opening sentence of a phishing email is personalised. The resulting model explains victimisation by phishing emails well, and it would allow practitioners to focus awareness campaigns to maximise their effect.

The innovative aspect relates to explaining spear phishing using four socio-demographic variables.

This paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this paper is to understand whether and to what extent penetration testing can reveal various socio-organisational factors of information security in organisations. In doing so, the paper innovates theory by using Routine Activity Theory together with phenomenology of information systems concepts.

The articulation of Routine Activity Theory and phenomenology emerged inductively from the data analysis. The data consists of 24 qualitative interviews conducted with penetration testers, analysed with thematic analysis.

The starting assumption is that penetration testers are akin to offenders in a crime situation, dealing with targets and the absence of capable guardians. A key finding is that penetration testers described their targets as an installed base, highlighting how vulnerabilities, which make a target suitable, often emerge from properties of the existing built digital environments. This includes systems that are forgotten or lack ongoing maintenance. Moreover, penetration testers highlighted that although the testing is often predicated on planned methodologies, often they resort to serendipitous practices such as improvisation.

This paper contributes to theory, showing how Routine Activity Theory and phenomenological concepts can work together in the study of socio-organisational factors of information security. This contribution stems from considering that much research on information security focuses on the internal actions of organisations. The study of penetration testing as a proxy of real attacks allows novel insights into socio-organisational factors of information security in organisations.

Poor complaint management may result in organizations losing customers and revenue. Consumers exhibit negative emotional responses when dissatisfied and this may lead to a complaint to a third-party organization. Since little information is available on the role of emotion in the consumer complaint process or how to manage complaints effectively, we offer an emotions perspective by applying Affective Events Theory (AET) to complaint behavior. This study presents the first application of AET in a consumption context and advances a theoretical framework supported by qualitative research for emotional responses to complaints. In contrast to commonly held views on gender and emotion, men as well as women use emotion-focused coping to complain.

Penetration tests have become a valuable tool in the cyber security defence strategy in terms of detecting vulnerabilities. Although penetration testing has traditionally focussed on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyberattacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper, the authors reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. This paper aims to propose improvements to refine the framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny

The authors conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet the requirements to have an ethical human pentesting framework, the authors compiled a list of ethical principles from the research literature which they used to filter out techniques deemed unethical.

Drawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, the authors propose the refined GDPR-compliant and privacy respecting PoinTER framework. The list of ethical principles, as suggested, could also inform ethical technical pentests.

Previous work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature.

Recent years have seen an explosion in the study of emotions in organizations, and although emotions play a central role in the job stress process, their role is largely neglected in empirical stressor–strain studies. Our chapter aims to build consensus in the literature by showing that discrete emotions provide a mechanism through which stressors exert their impact on well-being. By examining a larger domain of stressors, emotions, and well-being, we begin to develop and expand upon the nomological network of emotions. In an effort to build on the job demands–resources (JD-R) model, which includes both job demands (i.e., negative stimuli such as time pressure) and resources (i.e., positive stimuli such as autonomy), we include both negative and positive discrete emotions with the expectation that negative emotions will generally be linked to demands and positive emotions will be linked to resources. We also propose that there may be circumstances where demands trigger negative discrete emotions and lead to greater experienced strain, and conversely, where resources arouse positive discrete emotions, which would positively affect well-being. The model in our chapter sheds light on how discrete emotions have different antecedents (i.e., job demands and resources) and outcomes (e.g., satisfaction, burnout, performance), and as such, respond to calls for research on this topic. Our findings will be of particular interest to organizations where employees can be trained to manage their emotions to reduce the strain associated with job stressors.

Cross Cultural and Strategic Management (CCSM) began publication in 1994 and completed its 27th year in 2020. The purpose of this study is to provide a bibliometric analysis of CCSM during the period between 1994 and 2020.

The study uses a variety of bibliometric tools including performance analysis, authorship analysis, bibliographic coupling, keyword co-occurrence and regression analysis to present the retrospect of CCSM.

CCSM's publication and citations continue to enjoy consistent growth throughout the years. While most contributions originate in the United States, the diversity of both research and the researchers themselves continues to grow. Over the period, the emphasis has been on quantitative research design. Archival data have been the most preferred data source, and content analysis the most used data analysis method, although its use has somewhat declined over the years. Major recurring themes in the journal include cultural barriers, concept of culture, national culture, culture and organizational practices, and expatriate employees. Important drivers of citations are also identified.

The study’s contributions are twofold. First, the authors’ comprehensive bibliometric analysis of published research in CCSM helps uncover its underlying intellectual structure and the evolution of its research themes over time. Awareness of these patterns and major themes should help future CCSM scholars to better situate their studies within the extant body of knowledge. Second, the authors’ analysis should also aid in shaping future editorial strategies for CCSM as it continues to compete with other similar journals in the fields of international business, international management and strategy.

CCSM earned its reputation for quality, and as a result is currently one of the leading journals in its field. Therefore, by closely examining its underlying knowledge structure, the authors provide a more complete understanding of the intellectual progress made to date in CCSM, while also shedding light on its future.

In this chapter, we seek to resolve the long-running controversy as to whether moods foster or inhibit creativity. We base our arguments on a new theory, which we refer to as “creativity-as-mood-regulation,” where employees experiencing moods are envisaged to engage in creative behavior in the hope of regulating their moods. We further suggest that employees with different goal orientations will have different likelihoods of choosing creative activities to regulate their moods. Finally, we identify the specific goal-orientation conditions under which positive and negative moods may facilitate or depress creativity, and develop and discuss six related propositions.

Service recovery strategies have been identified as a critical factor in the success of service organizations. This study develops a conceptual framework to investigate how specific service recovery strategies influence the emotional, cognitive and negative behavioral responses of consumers, as well as how emotion and cognition influence negative behavior. Understanding the impact of specific service recovery strategies will allow service providers to more deliberately and intentionally engage in strategies that result in positive organizational outcomes. This study was conducted using a 2×2 between-subjects quasi-experimental design. The results suggest that service recovery has a significant impact on emotion, cognition and negative behavior. Similarly, satisfaction, negative emotion and positive emotion all influence negative behavior but distributive justice has no effect.

Affect is a dynamic construct that varies over time and can significantly influence motivation and performance in organisational contexts. This chapter addresses key conceptual and methodological challenges that arise when aiming to measure affect as a within-person process. The literature has been divided on whether the structure of affect is unipolar or bipolar and no research has considered this structure across levels of analysis. Measuring affect as a within-person process also requires a brief scale that can be administered with minimal disruption. This chapter presents data that provide evidence for bipolarity in the structure of affect. We use these data to validate the momentary affect scale, which is a new brief affect scale that can be used in within-person research designs and applied settings.