journal article
LitStream Collection
Home
Bhana, Anusha; Ophoff, Jacques
2023 Information and Computer Security
Organisations use a variety of technical, formal and informal security controls but also rely on employees to safeguard information assets. This relies heavily on compliance and constantly challenges employees to manage security-related risks. The purpose of this research is to explore the homeostatic mechanism proposed by risk homeostasis theory (RHT), as well as security fatigue, in an organisational context.Design/methodology/approachA case study approach was used to investigate the topic, focusing on data specialists who regularly work with sensitive information assets. Primary data was collected through semi-structured interviews with 12 data specialists in a large financial services company.FindingsA thematic analysis of the data revealed risk perceptions, behavioural adjustments and indicators of security fatigue. The findings provide examples of how these concepts manifest in practice and confirm the relevance of RHT in the security domain.Originality/valueThis research illuminates homeostatic mechanisms in an organisational security context. It also illustrates links with security fatigue and how this could further impact risk. Examples and indicators of security fatigue can assist organisations with risk management, creating “employee-friendly” policies and procedures, choosing appropriate technical security solutions and tailoring security education, training and awareness activities.
2023 Information and Computer Security
This study aims to elicit an understanding of creativity and innovation to enable a totally aligned information security culture. A model is proposed to encourage creativity and innovation as part of the information security culture.Design/methodology/approachThe study first applied a theoretical approach with a scoping literature review using the preferred reporting items for systematic reviews and meta-analyses method to propose a conceptual model for engendering employee creativity and innovation as part of the information security culture. A qualitative research method was further applied with expert interviews and qualitative data analysis in Atlas.ti to validate and refine the conceptual model.FindingsA refined and validated information security culture model enabled through creativity and innovation is presented. The input from the expert panel was used to extend the model by 18 elements highlighting that the risk appetite of an organisation defines how much creativity and innovation can be tolerated to reach a balance with the potential risks it might introduce. Embedding creativity and innovation as part of the organisational culture to facilitate it further as part of the information security culture can aid in combating cyber threats and incidents; however, it should be managed through a decision-making process while governed within policies that define the boundaries of creativity and innovation in information security.Research limitations/implicationsThe research serves as a point of reference for further research about the influence of creativity and innovation in information security culture which can be investigated through structural equation modelling.Practical implicationsThis study offers novel insights for managerial practice to encourage creativity and innovation as part of information security.Originality/valueThe research proposes a novel concept of introducing creativity and innovation as part of the information security culture and presents a novel model to facilitate this.
Lindqvist, Gunnar; Kävrestad, Joakim
2023 Information and Computer Security
The purpose of this paper is to identify whether there is a lower willingness to report a crime if a victim must hand in their mobile phone as evidence. If that is the case, the research seeks to examine whether privacy concerns and lower willingness correlate with one another and thereby investigate whether privacy concerns could lead to fewer crimes being reported and resolved.Design/methodology/approachA mobile phone survey was distributed to 400 Swedish adults to identify their hypothetical willingness to report certain crimes with and without handing in their mobile phones as evidence. The results were then analysed using inferential statistics.FindingsThe result suggests that there is no meaningful correlation between privacy attitudes and willingness to report crime when the handover of a mobile phone is necessary. The results of this study however show a significant lower willingness to report crimes when the mobile phone must be handed in.Research limitations/implicationsBecause the chosen target group were Swedish adults, the research results may lack generalisability for other demographics. Therefore, researchers are encouraged to test other demographics.Originality/valueThis paper’s contribution is the novel exploration of attitudes and behaviours regarding the combination of privacy, digital forensics, mobile phones and crime reportage. This research effort examined the problematic situation that can arise for victims of crime, the invasion of privacy when providing evidence by handing in a mobile phone to the police’s forensic unit for examination.
Glas, Magdalena; Vielberth, Manfred; Reittinger, Tobias; Böhm, Fabian; Pernul, Günther
2023 Information and Computer Security
Cybersecurity training plays a decisive role in overcoming the global shortage of cybersecurity experts and the risks this shortage poses to organizations' assets. Seeking to make the training of those experts as efficacious and efficient as possible, this study investigates the potential of visual programming languages (VPLs) for training in cyber ranges. For this matter, the VPL Blockly was integrated into an existing cyber range training to facilitate learning a code-based cybersecurity task, namely, creating code-based correlation rules for a security information and event management (SIEM) system.Design/methodology/approachTo evaluate the VPL’s effect on the cyber range training, the authors conducted a user study as a randomized controlled trial with 30 participants. In this study, the authors compared skill development of participants creating SIEM rules using Blockly (experimental group) with participants using a textual programming approach (control group) to create the rules.FindingsThis study indicates that using a VPL in a cybersecurity training can improve the participants' perceived learning experience compared to the control group while providing equally good learning outcomes.Originality/valueThe originality of this work lies in studying the effect of using a VPL to learn a code-based cybersecurity task. Investigating this effect in comparison with the conventional textual syntax through a randomized controlled trial has not been investigated yet.
Rostami, Elham; Karlsson, Fredrik; Gao, Shang
2023 Information and Computer Security
This paper aims to propose a conceptual model of policy components for software that supports modularizing and tailoring of information security policies (ISPs).Design/methodology/approachThis study used a design science research approach, drawing on design knowledge from the field of situational method engineering. The conceptual model was developed as a unified modeling language class diagram using existing ISPs from public agencies in Sweden.FindingsThis study’s demonstration as proof of concept indicates that the conceptual model can be used to create free-standing modules that provide guidance about information security in relation to a specific work task and that these modules can be used across multiple tailored ISPs. Thus, the model can be considered as a step toward developing software to tailor ISPs.Research limitations/implicationsThe proposed conceptual model bears several short- and long-term implications for research. In the short term, the model can act as a foundation for developing software to design tailored ISPs. In the long term, having software that enables tailorable ISPs will allow researchers to do new types of studies, such as evaluating the software's effectiveness in the ISP development process.Practical implicationsPractitioners can use the model to develop software that assist information security managers in designing tailored ISPs. Such a tool can offer the opportunity for information security managers to design more purposeful ISPs.Originality/valueThe proposed model offers a detailed and well-elaborated starting point for developing software that supports modularizing and tailoring of ISPs.
Shanley, Aleatha; Johnstone, Mike; Szewczyk, Patryk; Crowley, Michael
2023 Information and Computer Security
Using technology to meet national security expectations and requirements is not new. Nations attempt to strike a balance between security and the (expressed or otherwise) privacy needs of citizens. Attacks (physical or cyber) on citizens shift the equilibrium point towards security. In contrast, civil liberties organisations act to preserve or increase privacy. The purpose of this paper is to explore Australian attitudes towards privacy and surveillance during the COVID-19 pandemic. In addition, this paper aims to discover what (if any) factors contribute to societal acceptance of privacy encroachment implicated by surveillance programs.Design/methodology/approachData collection occurred during 2021 using a cross-sectional survey comprising a variety of self-assessment questions. In addition, anchoring vignettes were introduced as a means of contextualising complex concepts, i.e. privacy and security. Finally, latent class analysis (LCA) was used to identify homogenous patterns within the data, referred to as “classes” for the analysis of trust.FindingsFirst, the survey revealed that citizens appear to be unconcerned about surveillance in public and private spaces (although this may be a temporary effect resulting from the pandemic). The potential for identification, however, does raise concerns. Second, LCA surfaced a specific group that were more likely to trust entities and showed less concern about surveillance in society. Finally, even this latter group displayed a “trust deficit” in specific organisations (private businesses and social media firms).Research limitations/practical implicationsThe tension between security and privacy remains, even in a post-pandemic world; therefore, the authors consider that the results, whilst interesting, are preliminary. Notwithstanding this, the findings provide insight into Australian attitudes towards privacy and surveillance and, consequently, provide input into public policy.Originality/valueThis is the most recent survey of the Australian public concerning this issue. The analysis of the effect of the pandemic on attitudes provides further value.
Chhetri, Chola; Motti, Vivian Genaro
2023 Information and Computer Security
Past research shows that users of smart home devices (SHDs) have privacy concerns. These concerns have been validated from technical research that shows SHDs introduce a lot of privacy risks. However, there is limited research in addressing these concerns and risks. This paper aims to bridge this gap by informing the design of data-related privacy controls for SHDs.Design/methodology/approachIn this paper, the authors follow a user-centered design approach to design data-related privacy controls from design requirements backed by literature. The authors test the design for usability and perceived information control using psychometrically validated scales. For this purpose, two variations of the prototype (MyCam1 with a listing of data-related privacy controls and MyCam2 with three privacy presets) were created and tested them in a between-subjects experimental setting. Study participants (n = 207) were recruited via Mechanical Turk and asked to use the prototype app. An online survey was distributed to the participants to measure some usability and privacy-related constructs.FindingsFindings show that the presented prototype designs were usable and met the privacy control needs of users. The prototype design with privacy presets (MyCam2) was found to be significantly more usable than the list of privacy controls (MyCam1).OriginalityThe findings of this paper are original and build on the paper presented at the International Symposium on Human Aspects of Information Security and Assurance (HAISA 2022). This paper contributes improved and usable designs of privacy controls for smart home applications.