Search results

The purpose of this study is to identify factors that determine computer and security expertise in end users. They can be significant determinants of human behaviour and interactions in the security and privacy context. Standardized, externally valid instruments for measuring end-user security expertise are non-existent.

A questionnaire encompassing skills and knowledge-based questions was developed to identify critical factors that constitute expertise in end users. Exploratory factor analysis was applied on the results from 898 participants from a wide range of populations. Cluster analysis was applied to characterize the relationship between computer and security expertise. Ordered logistic regression models were applied to measure efficacy of the proposed security and computing factors in predicting user comprehension of security concepts: phishing and certificates.

There are levels to peoples’ computer and security expertise that could be reasonably measured and operationalized. Four factors that constitute computer security-related skills and knowledge are, namely, basic computer skills, advanced computer skills, security knowledge and advanced security skills, and these are identified as determinants of computer expertise.

Findings from this work can be used to guide the design of security interfaces such that it caters to people with different expertise levels and does not force users to exercise more cognitive processes than required.

This work identified four factors that constitute security expertise in end users. Findings from this work were integrated to propose a framework called Security SRK for guiding further research on security expertise. This work posits that security expertise instrument for end user should measure three cognitive dimensions: security skills, rules and knowledge.

The purpose of this paper is to investigate relationships between workarounds (solutions to handling trade-offs between competing or misaligned goals and gaps in policies and procedures), perceived trade-offs, information security (IS) policy compliance, IS expertise/knowledge and IS demands.

The research purpose is addressed using survey data from a nationwide sample of Swedish white-collar workers (N = 156).

Responses reinforce the notion that workarounds partly are something different from IS policy compliance and that workarounds-as-improvisations are used more frequently by employees that see more conflicts between IS and other goals (r = 0.351), and have more IS expertise/knowledge (r = 0.257). Workarounds-as-non-compliance are also used more frequently when IS trade-offs are perceived (r = 0.536). These trade-offs are perceived more by people working in organizations that handle information with high security demands (r = 0.265) and those who perform tasks with high IS demands (r = 0.178).

IS policies are an important part of IS governance. They describe the procedures that are supposed to provide IS. Researchers have primarily investigated how employees’ compliance with IS policies can be predicted and explained. There has been an increased interest in how tradeoffs and conflicts between following policies and other goals lead employees to make workarounds. Workarounds may leave management unaware of how work actually is done within the organization and may besides getting work done lead to new vulnerabilities. This study furthers the understanding of workarounds and trade-offs, which should be subject to further research.

In methods and manuals, the product of an information security incident’s probability and severity is seen as a risk to manage. The purpose of the test described in this paper is to investigate if information security risk is perceived in this way, if decision-making style influences the perceived relationship between the three variables and if the level of information security expertise influences the relationship between the three variables.

Ten respondents assessed 105 potential information security incidents. Ratings of the associated risks were obtained independently from ratings of the probability and severity of the incidents. Decision-making style was measured using a scale inspired from the Cognitive Style Index; information security expertise was self-reported. Regression analysis was used to test the relationship between variables.

The ten respondents did not assess risk as the product of probability and severity, regardless of experience, expertise and decision-making style. The mean variance explained in risk ratings using an additive term is 54.0 or 38.4 per cent, depending on how risk is measured. When a multiplicative term was added, the mean variance only increased by 1.5 or 2.4 per cent. For most of the respondents, the contribution of the multiplicative term is statistically insignificant.

The inability or unwillingness to see risk as a product of probability and severity suggests that procedural support (e.g. risk matrices) has a role to play in the risk assessment processes.

This study is the first to test if information security risk is assessed as an interaction between probability and severity using suitable scales and a within-subject design.

The expertise of a system administrator is believed to be important for effective use of intrusion detection systems (IDS). This paper examines two hypotheses concerning the system administrators' ability to filter alarms produced by an IDS by comparing the performance of an IDS to the performance of a system administrator using the IDS.

An experiment was constructed where five computer networks are attacked during four days. The experiment assessed difference made between the output of a system administrator using an IDS and the output of the IDS alone. The administrator's analysis process was also investigated through interviews.

The experiment shows that the system administrator analysing the output from the IDS significantly improves the portion of alarms corresponding to attacks, without decreasing the probability that an attack is detected significantly. In addition, an analysis is made of the types of expertise that is used when output from the IDS is processed by the administrator.

Previous work, based on interviews with system administrators, has suggested that competent system administrators are important in order to achieve effective IDS solutions. This paper presents a quantitative test of the value system administrators add to the intrusion detection solution.

The purpose of the study is to explore the factors associated with the extent of security/cybersecurity audit by the internal audit function (IAF) of the firm. Specifically, the authors focused on whether IAF/CAE (certified audit executive [CAE]) characteristics, board involvement related to governance, role of the audit committee (or equivalent) and the chief risk officer (CRO) and IAF tasked with enterprise risk management (ERM) are associated with the extent to which the firm engages in security/cybersecurity audit.

For analysis, the paper uses responses of 970 CAEs as compiled in the Common Body of Knowledge database (CBOK, 2015) developed by the Institute of Internal Auditors Research Foundation (IIARF).

The results of the study suggest that the extent of security/cybersecurity audit by IAF is significantly and positively associated with IAF competence related to governance, risk and control. Board support regarding governance is also significant and positive. However, the Audit Committee (AC) or equivalent and the CRO role are not significant across the regions studied. Comprehensive risk assessment done by IAF and IAF quality have a significant and positive effect on security/cybersecurity audit. Unexpectedly, CAEs with security certification and IAFs tasked with ERM do not have a significant effect on security/cybersecurity audit; however, other certifications such as CISA or CPA have a marginal or mixed effect on the extent of security/cybersecurity audit.

This study is the first to describe IAF involvement in security/cybersecurity audit. It provides insights into the specific IAF/CAE characteristics and corporate governance characteristics that can lead IAF to contribute significantly to security/cybersecurity audit. The findings add to the results of prior studies on the IAF involvement in different IT-related aspects such as IT audit and XBRL implementation and on the role of the board and the audit committee (or its equivalent) in ERM and the detection and correction of security breaches.

Sharing information security best practices between experts via knowledge management systems is valuable for improving information security practices, exchanging expertise, mitigating security risks, spreading knowledge, reducing costs and saving efforts. The purpose of this paper is developing a conceptual model to enhance the transfer of information security best practices between professionals in virtual communities through a Web-based knowledge management system to exchange their successful experience in handling different information security situations.

The model is validated by surveying 17 experts’ reviews on the correctness of the model’s structure and its related components through applying deep rich peer debriefing to test suitability. Quantitative data has been collected to achieve confirmatory results.

The resulting model incorporates five main components that support the formal mechanism for the acquisition and dissemination of knowledge: identification, classification, storage, validation and sharing. The success of knowledge sharing is highly dependent on the active collaboration of community members and highly influenced by motivation. Validating transferred knowledge is vital for ensuring the credibility of the system.

To the best of the author’s knowledge, this paper is one of the first to highlight the role of integrating knowledge management to enhance the effective share and reuse of information security best practices knowledge. The research results can support researchers investigating the topic and generate trustworthy literature to guide information security virtual community developers.

Information systems security management is a knowledge‐intensive activity that currently depends heavily on the experience of security experts. However, the knowledge dimension of IS security management has been neglected, both by research and industry. This paper aims to explore the sources of IS security knowledge and the potential role of an IS security knowledge management system.

The results of this paper are based on field research involving five organizations (public and private) and five security experts and consultants. A model to illustrate the structure of IS security knowledge in an organization is then proposed.

Successful security management largely depends on the involvement of users and other stakeholders in security analysis, design, and implementation, as well as in actively defending the IS. However, most stakeholders lack the required knowledge of IS security issues that would allow them to play an important role in IS security management.

In this paper, the knowledge management aspect of IS security management has been highlighted. Moreover, the basic sources of security‐related knowledge have been identified and a model of IS security knowledge has been created. Also, the activities to be supported by a security‐focused KM system have been identified. Thus, the basis for the development of specialized security KM systems has been set.

This paper aims to extend current information security compliance research by adapting “work-stress model” of the extended Job Demands-Resources model to explore how security compliance demands, organization and personal resources influence end-user security compliance. The paper proposes that security compliance burnout and security engagement as the mediating factors between security compliance demands, organizational and personal resources and individual security compliance.

The authors used a multi-case in-depth interview method to explore the relevance and significance of security demands, organizational resources and personal resources on security compliance at work. Seventeen participants in three organizations including a bank, a university and an oil distribution company in Vietnam were interviewed during a four-month period.

The study identified three security demands, three security resources and two aspects of personal resources that influence security compliance. The study demonstrates that the security environment factors such as security demands and resources affected compliance burden and security engagement. Personal resources could play an integral role in moderating the impact of security environment on security compliance.

The findings presented are not generalizable to the wider population of end-users in Vietnam due to the small sample size used in the interviews. Further quantitative studies need to measure the extent of each predictor on security compliance.

The originality of the research stems from proposing not only stress-based but also motivating factors from the security environment on security compliance. By using qualitative approach, the study provides more insight to understand the impact of the security environments on security compliance.

In the mid-2000s, the operator of New York City’s mass transit network committed more than a half-billion dollars to military contractor Lockheed Martin for a security technology capable, in part, of inferring threats based on analysis of data streams, of developing response strategies, and taking automated action toward alerts and calamities in light of evolving circumstances. The project was a failure. This chapter explores the conceptualization and development of this technology – rooted in cybernetics – and compares its conceptual underpinnings with some situated problems of awareness, communication, coordination, and action in emergencies as they unfold in one of the busiest transport systems in the world, the New York subway. The author shows how the technology, with all the theatrical trappings of a “legitimate” security solution, was apparently conceived without a grounded understanding of actual use-cases, and the degree to which the complex interactions which give rise to subway emergency can be anticipated in – and therefore managed through – a technological system. As a case-study, the chapter illustrates the pitfalls of deploying technology against problems which are not well-defined in the first place, to the neglect of investments against much more fundamental problems – such as inadequate communication systems, and unstable relationships with emergency response agencies – which might offer guaranteed benefits, and indeed lay a firm groundwork for future deployment of more ambitious technology.

The paper seeks to provide a foundational understanding of the socio‐technical system that is computer network intrusion detection, including the nature of the knowledge work, situated expertise, and processes of learning as supported by information technology.

The authors conducted a field study to explore the work of computer network intrusion detection using multiple data collection methods, including semi‐structured interviews, examination of security tools and resources, analysis of information security mailing list posts, and attendance at several domain‐specific user group meetings.

The work practice of intrusion detection analysts involves both domain expertise of networking and security and a high degree of situated expertise and problem‐solving activities that are not predefined and evolve with the dynamically changing context of the analyst's environment. This paper highlights the learning process needed to acquire these two types of knowledge, contrasting this work practice with that of computer systems administrators.

The research establishes a baseline for future research into the domain and practice of intrusion detection, and, more broadly, information security.

The results presented here provide a critical examination of current security practices that will be useful to developers of intrusion detection support tools, information security training programs, information security management, and for practitioners themselves.

There has been no research examining the work or expertise development processes specific to the increasingly important information security practice of intrusion detection. The paper provides a foundation for future research into understanding this highly complex, dynamic work.