Search results

1 – 7 of 7
To view the access options for this content please click here
Article
Publication date: 30 November 2021

Bhaveer Bhana and Stephen Vincent Flowerday

The average employee spends a total of 18.6 h every two months on password-related activities, including password retries and resets. The problem is caused by the user…

Abstract

Purpose

The average employee spends a total of 18.6 h every two months on password-related activities, including password retries and resets. The problem is caused by the user forgetting or mistyping the password (usually because of character switching). The source of this issue is that while a password containing combinations of lowercase characters, uppercase characters, digits and special characters (LUDS) offers a reasonable level of security, it is complex to type and/or memorise, which prolongs the user authentication process. This results in much time being spent for no benefit (as perceived by users), as the user authentication process is merely a prerequisite for whatever a user intends to accomplish. This study aims to address this issue, passphrases that exclude the LUDS guidelines are proposed.

Design/methodology/approach

To discover constructs that create security and to investigate usability concerns relating to the memory and typing issues concerning passphrases, this study was guided by three theories as follows: Shannon’s entropy theory was used to assess security, chunking theory to analyse memory issues and the keystroke level model to assess typing issues. These three constructs were then evaluated against passwords and passphrases to determine whether passphrases better address the security and usability issues related to text-based user authentication. A content analysis was performed to identify common password compositions currently used. A login assessment experiment was used to collect data on user authentication and user – system interaction with passwords and passphrases in line with the constructs that have an impact on user authentication issues related to security, memory and typing. User–system interaction data was collected from a purposeful sample size of 112 participants, logging in at least once a day for 10 days. An expert review, which comprised usability and security experts with specific years of industry and/or academic experience, was also used to validate results and conclusions. All the experts were given questions and content to ensure sufficient context was provided and relevant feedback was obtained. A pilot study involving 10 participants (experts in security and/or usability) was performed on the login assessment website and the content was given to the experts beforehand. Both the website and the expert review content was refined after feedback was received from the pilot study.

Findings

It was concluded that, overall, passphrases better support the user during the user authentication process in terms of security, memory issues and typing issues.

Originality/value

This research aims at promoting the use of a specific type of passphrase instead of complex passwords. Three core aspects need to be assessed in conjunction with each other (security, memorisation and typing) to determine whether user-friendly passphrases can support user authentication better than passwords.

Details

Information & Computer Security, vol. ahead-of-print no. ahead-of-print
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article
Publication date: 21 May 2021

Heather J. Parker and Stephen Flowerday

Social media has created a new level of interconnected communication. However, the use of online platforms brings about various ways in which a user’s personal data can be…

Abstract

Purpose

Social media has created a new level of interconnected communication. However, the use of online platforms brings about various ways in which a user’s personal data can be put at risk. This study aims to investigate what drives the disclosure of personal information online and whether an increase in awareness of the value of personal information motivates users to safeguard their information.

Design/methodology/approach

Fourteen university students participated in a mixed-methods experiment, where responses to Likert-type scale items were combined with responses to interview questions to provide insight into the cost–benefit analysis users conduct when disclosing information online.

Findings

Overall, the findings indicate that users are able to disregard their concerns due to a resigned and apathetic attitude towards privacy. Furthermore, subjective norms enhanced by fear of missing out (FOMO) further allows users to overlook potential risks to their information in order to avoid social isolation and sanction. Alternatively, an increased awareness of the personal value of information and having experienced a previous privacy violation encourage the protection of information and limited disclosure.

Originality/value

This study provides insight into privacy and information disclosure on social media in South Africa. To the knowledge of the researchers, this is the first study to include a combination of the theory of planned behaviour and the privacy calculus model, together with the antecedent factors of personal valuation of information, trust in the social media provider, FOMO.

Details

Information & Computer Security, vol. 29 no. 3
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article
Publication date: 15 June 2020

Tamir Tsegaye and Stephen Flowerday

An electronic health record (EHR) enables clinicians to access and share patient information electronically and has the ultimate goal of improving the delivery of…

Abstract

Purpose

An electronic health record (EHR) enables clinicians to access and share patient information electronically and has the ultimate goal of improving the delivery of healthcare. However, this can create security and privacy risks to patient information. This paper aims to present a model for securing the EHR based on role-based access control (RBAC), attribute-based access control (ABAC) and the Clark-Wilson model.

Design/methodology/approach

A systematic literature review was conducted which resulted in the collection of secondary data that was used as the content analysis sample. Using the MAXQDA software program, the secondary data was analysed quantitatively using content analysis, resulting in 2,856 tags, which informed the discussion. An expert review was conducted to evaluate the proposed model using an evaluation framework.

Findings

The study found that a combination of RBAC, ABAC and the Clark-Wilson model may be used to secure the EHR. While RBAC is applicable to healthcare, as roles are linked to an organisation’s structure, its lack of dynamic authorisation is addressed by ABAC. Additionally, key concepts of the Clark-Wilson model such as well-formed transactions, authentication, separation of duties and auditing can be used to secure the EHR.

Originality/value

Although previous studies have been based on a combination of RBAC and ABAC, this study also uses key concepts of the Clark-Wilson model for securing the EHR. Countries implementing the EHR can use the model proposed by this study to help secure the EHR while also providing EHR access in a medical emergency.

Details

Information & Computer Security, vol. 28 no. 3
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article
Publication date: 10 October 2016

Karen Renaud, Stephen Flowerday, Rosanne English and Melanie Volkamer

The purpose of this study was to identify to identify reasons for the lack of protest against dragnet surveillance in the UK. As part of this investigation, a study was…

Abstract

Purpose

The purpose of this study was to identify to identify reasons for the lack of protest against dragnet surveillance in the UK. As part of this investigation, a study was carried out to gauge the understanding of “privacy” and “confidentiality” by the well-informed.

Design/methodology/approach

To perform a best-case study, the authors identified a group of well-informed participants in terms of security. To gain insights into their privacy-related mental models, they were asked first to define the three core terms and then to identify the scenarios. Then, the participants were provided with privacy-related scenarios and were asked to demonstrate their understanding by classifying the scenarios and identifying violations.

Findings

Although the participants were mostly able to identify privacy and confidentiality scenarios, they experienced difficulties in articulating the actual meaning of the terms privacy, confidentiality and security.

Research limitations/implications

There were a limited number of participants, yet the findings are interesting and justify further investigation. The implications, even of this initial study, are significant in that if citizens’ privacy rights are being violated and they did not seem to know how to protest this and if indeed they had the desire to do so.

Practical implications

Had the citizens understood the meaning of privacy, and their ancient right thereto, which is enshrined in law, their response to the Snowden revelations about ongoing wide-scale surveillance might well have been more strident and insistent.

Originality/value

People in the UK, where this study was carried out, do not seem to protest the privacy invasion effected by dragnet surveillance with any verve. The authors identify a number of possible reasons for this from the literature. One possible explanation is that people do not understand privacy. Thus, this study posits that privacy is unusual in that understanding does not seem to align with the ability to articulate the rights to privacy and their disapproval of such widespread surveillance. This seems to make protests unlikely.

Details

Information & Computer Security, vol. 24 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article
Publication date: 12 October 2015

Bukelwa Ngoqo and Stephen V. Flowerday

The purpose of this paper was to analyse existing theories from the social sciences to gain a better understanding of factors which contribute to student mobile phone…

Abstract

Purpose

The purpose of this paper was to analyse existing theories from the social sciences to gain a better understanding of factors which contribute to student mobile phone users’ poor information security behaviour. Two key aspects associated with information security behaviour were considered, namely, awareness and behavioural intent. This paper proposes that the knowing-and-doing gap can possibly be reduced by addressing both awareness and behavioural intent. This research paper explores the relationship between student mobile phone user information security awareness and behavioural intent in a developmental university in South Africa.

Design/methodology/approach

Information security awareness interventions were implemented in this action research study, and student information security behavioural intent was observed after each cycle.

Findings

The poor security behaviour exhibited by student mobile phone users, which was confirmed by the findings of this study, is of particular interest in the university context, as most undergraduate students are offered a computer-related course which covers certain information security-related principles. Existing researchers in the field of information security still grapple with the “knowing-and-doing” gap, where user information security knowledge/awareness sometimes does not result in safer behavioural practises.

Originality/value

Zhang et al. (2009) suggest that understanding human behaviour is important when dealing with the problems caused by human errors. Harnesk and Lindstrom (2011) expressed a concern that existing research does not address the interlinked relationship between anticipated security behaviour and the enactment of security procedures. This study acknowledges Choi et al. (2008) contribution in their discussions on the “knowing-and-doing gap” suggests a link between awareness and actual behaviour that is confirmed by the findings of this study.

Details

Information & Computer Security, vol. 23 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article
Publication date: 4 January 2016

Deniz Appelbaum, Stephen Kozlowski, Miklos A. Vasarhelyi and Joel White

The purpose of this project is to undertake continuous auditing and monitoring (CA/CM) implementations working with small-to-medium-sized (SME) not-for-profit (NFP…

Abstract

Purpose

The purpose of this project is to undertake continuous auditing and monitoring (CA/CM) implementations working with small-to-medium-sized (SME) not-for-profit (NFP) organizations of varying sizes, business purposes and levels of technical sophistication.

Design/methodology/approach

This paper discusses a project using a case study approach with an SME NFP entity.

Findings

The findings support the discussions in the literature regarding CA/CM adoption in organizations, particularly regarding its implementation benefits and challenges.

Research limitations/implications

The project is not complete in that additional case studies could possibly offer additional applicability to the findings.

Practical implications

This case study illustrates the issues inherent with the process of adopting new technologies. It provides insights for others considering adoption of CA/CM tools or protocols.

Social implications

The need for more reliable auditing has never been more urgent than it is today in the NFP environment, and this case study demonstrates how an NFP could address these critical needs of increased reporting accountability and internal controls.

Originality/value

The application of CA/CM is quite interesting and relevant in this modern real-time economy. This case study provides a new area of research in the field of CA/CM and, as such, contributes to the literature.

Details

Managerial Auditing Journal, vol. 31 no. 1
Type: Research Article
ISSN: 0268-6902

Keywords

To view the access options for this content please click here
Article
Publication date: 13 March 2020

R.I. Ferguson, Karen Renaud, Sara Wilford and Alastair Irons

Cyber-enabled crimes are on the increase, and law enforcement has had to expand many of their detecting activities into the digital domain. As such, the field of digital…

Abstract

Purpose

Cyber-enabled crimes are on the increase, and law enforcement has had to expand many of their detecting activities into the digital domain. As such, the field of digital forensics has become far more sophisticated over the years and is now able to uncover even more evidence that can be used to support prosecution of cyber criminals in a court of law. Governments, too, have embraced the ability to track suspicious individuals in the online world. Forensics investigators are driven to gather data exhaustively, being under pressure to provide law enforcement with sufficient evidence to secure a conviction.

Yet, there are concerns about the ethics and justice of untrammeled investigations on a number of levels. On an organizational level, unconstrained investigations could interfere with, and damage, the organization's right to control the disclosure of their intellectual capital. On an individual level, those being investigated could easily have their legal privacy rights violated by forensics investigations. On a societal level, there might be a sense of injustice at the perceived inequality of current practice in this domain.

This paper argues the need for a practical, ethically grounded approach to digital forensic investigations, one that acknowledges and respects the privacy rights of individuals and the intellectual capital disclosure rights of organizations, as well as acknowledging the needs of law enforcement. The paper derives a set of ethical guidelines, and then maps these onto a forensics investigation framework. The framework to expert review in two stages is subjected, refining the framework after each stage. The paper concludes by proposing the refined ethically grounded digital forensics investigation framework. The treatise is primarily UK based, but the concepts presented here have international relevance and applicability.

Design/methodology/approach

In this paper, the lens of justice theory is used to explore the tension that exists between the needs of digital forensic investigations into cybercrimes on the one hand, and, on the other, individuals' rights to privacy and organizations' rights to control intellectual capital disclosure.

Findings

The investigation revealed a potential inequality between the practices of digital forensics investigators and the rights of other stakeholders. That being so, the need for a more ethically informed approach to digital forensics investigations, as a remedy, is highlighted and a framework proposed to provide this.

Research limitations/implications

The proposed ethically informed framework for guiding digital forensics investigations suggests a way of re-establishing the equality of the stakeholders in this arena, and ensuring that the potential for a sense of injustice is reduced.

Originality/value

Justice theory is used to highlight the difficulties in squaring the circle between the rights and expectations of all stakeholders in the digital forensics arena. The outcome is the forensics investigation guideline, PRECEpt: Privacy-Respecting EthiCal framEwork, which provides the basis for a re-aligning of the balance between the requirements and expectations of digital forensic investigators on the one hand, and individual and organizational expectations and rights, on the other.

Details

Journal of Intellectual Capital, vol. 21 no. 2
Type: Research Article
ISSN: 1469-1930

Keywords

1 – 7 of 7