Rewind
All the content from last year’s PeepSec, Impact and flagship industry events
A review of the theory of planned behaviour in the context of information security policy compliance
The behaviour of employees influences information security in virtually all organisations. To inform the employees regarding what constitutes desirable behaviour, an information security policy can be formulated and communicated. However, not all employees comply with...
What kind of interventions can help users from falling for phishing attempts: A research proposal for examining stage-appropriate interventions
Because successful phishing attacks are expensive to society, it is imperative to understand how to promote protective behavior for IS end-users. Our research program in progress will extend IS Security research by empirically testing a theoretical hybrid...
Information security behavior: Towards multi-stage model
In order to ensure that employees abide by their organizations’ Information Security Policies (ISP), a number of information security policy compliance measures have been proposed in the past. If different factors can explain/predict the information security behavior...
Motivating the insider to protect organizational information assets: Evidence from protection motivation theory and rival explanations
This research investigates the factors that motivate employees to protect their organizations from information security threats via protection-motivated behaviors (PMBs). A model founded on Protection Motivation Theory (PMT) and several rival explanations is assessed...
Contextualized web warnings, and how they cause distrust
Current warnings in Web browsers are difficult to understand for lay users. We address this problem through more concrete warning content by contextualizing the warning – for example, taking the user’s current intention into account in order to name concrete...
Human aspects of information security: An empirical study of intentional versus actual behavior
Purpose – A significant amount of empirical research has been conducted on the socio‐economic (sociological, psychological, economic) aspects of information security, such as the phenomenon of individuals who are willing to take security measures, but often do not....
Phishing and organisational learning
The importance of addressing the human aspect in information security has grown over the past few years. One of the most frequent techniques used to obtain private or confidential information from humans is phishing. One way to combat these phishing scams is to have...
Information security culture – state-of-the-art review between 2000 and 2013
Purpose – The aim of this paper is to survey existing information security culture research to scrutinise the kind of knowledge that has been developed and the way in which this knowledge has been brought about. Design/methodology/approach – Results are based on a...
One size does not fit all: Different cultures require different information systems security interventions
Employees’ non-compliance with information systems (IS) security policies is a key concern for organizations. Previous studies have proposed different explanations for employees’ behavior, such as the use of sanctions and monitoring, fear appeal and training, which...
Don’t make excuses! Discouraging neutralization to reduce IT policy violation
Past research on information technology (IT) security training and awareness has focused on informing employees about security policies and formal sanctions for violating those policies. However, research suggests that deterrent sanctions may not be the most powerful...
A survey of security risks of mobile social media through blog mining and an extensive literature search
As mobile malware and virus are rapidly increasing in frequency and sophistication, mobile social media has recently become a very popular attack vector. The purpose of this paper is to survey the state-of-the-art of security aspect of mobile social media, identify...
Delegate the smartphone user? Security awareness in smartphone platforms
Smartphone users increasingly download and install third-party applications from official application repositories. Attackers may use this centralized application delivery architecture as a security and privacy attack vector. This risk increases since application...
The righteous mind: Why good people are divided by politics and religion (Chapter 7)
In chapter 7 of this book, Jonathan Haidt draws on economic and social psychological research to show how demonstrations of violations of care, fairness, loyalty, authority and sanctity can be used in different ways to promote both right wing and left wing politcal...
The effects of sanctions and stigmas on cyberloafing
This paper addresses the issue of cyberloafing, a widespread problem for many organizations. Some researchers propose a deterrence approach, using acceptable use policies for internet-based applications along with mechanisms to monitor employee internet usage and...
My profile is my password, verify me! The privacy/convenience tradeoff of Facebook Connect
We performed a laboratory experiment to study the privacy tradeoff offered by Facebook Connect: disclosing Facebook profile data to third-party websites for the convenience of logging in without creating separate accounts. We controlled for trustworthiness and amount...
Improving password cybersecurity through inexpensive and minimally invasive means: Detecting and deterring password reuse through keystroke-Dynamics Monitoring and Just-in-Time Fear Appeals
Password reuse – using the same password for multiple accounts – is a prevalent phenomenon that can make even the most secure systems vulnerable. When passwords are reused across multiple systems, hackers may compromise accounts by stealing passwords from low-security...
QRishing: The susceptibility of smartphone users to QR code phishing attacks
The matrix barcodes known as Quick Response (QR) codes are rapidly becoming pervasive in urban environments around the world. QR codes are used to represent data, such as a web address, in a compact form that can be scanned readily and parsed by consumer mobile...
Enemies within: Redefining the insider threat in organizational security policy
This article critically examines the insider threat in organizations in the context of electronic information exchanges. The current data loss threat model primarily focuses on the criminal outsider, often viewing the insider threat as 'outsiders by proxy'. This...
Using phishing to test social engineering awareness of financial employees
Social engineering is the biggest security threat to financial institutions because it exploits the weakest link in any security system: the human element. It is proposed here that combining specialized training on social engineering followed by repeated audit tests...
A study of user password strategy for multiple accounts
Despite advances in biometrics and other technologies, passwords remain the most commonly used means of authentication in computer systems. Users maintain different security levels for different passwords. In this study, we examine the degree of similarity among...
Targeted risk communication for computer security
Attacks on computer systems are rapidly becoming more numerous and more sophisticated, and current preventive techniques do not seem able to keep pace. Many successful attacks can be attributed to user errors: for example, while focused on other tasks, users may...